Project manager working and update tasks with milestones progress planning and Gantt chart scheduling virtual diagram.Businessman hand pressing an imaginary button on virtual screen
Share on facebook
Share on twitter
Share on pinterest
Share on linkedin

Apparently, cyber attackers also consider imitation to be the sincerest form of flattery

By Richard Arneson

Phobos-the personification of the fear of ransomware

An ambitious, but apparently unoriginal, cybercrime gang is taking responsibility for a rash of malware attacks that began just prior to the Christmas holidays. They’ve named it Phobos, ostensibly taken from the name given to the personification of fear in Greek mythology. Apparently, fear wasn’t granted god status by the ancient Greeks.

The gang, which apparently forgot to name itself, was inspired by two (2) earlier and very prolific attacks: Dharma and CrySiS, the origin and meaning of its name pretty self-explanatory. But it’s obvious to the security professionals that the gang is only flattering itself—they have no doubt that the same band of reprobates is behind all three (3) attacks.

Dharma

Like Dharma, Phobos preys on open or poorly secured RDP (Remote Desktop Protocol) ports. From these weakened RDPs, Phobos sneaks and slithers into networks and launches the ransomware attack, where it begins encrypting files. It can affect files on local, mapped network and virtual machine drives.

Because it’s called ransomware, victims are soon left with this decision—should I, or shouldn’t I, pay to access my affected files, which will be locked with the .phobos extension. And, as it usually the case, they want payment in Bitcoin, the currency of choice for launchers of ransomware. (Here’s a not-so-subtle tip: DON’T PAY. It only supports and exacerbates the crime.)

It’s obvious that Phobos is Dharma-inspired—the ransom note appears exactly like the one (1) that was used by Dharma, text and typeface, and all. In addition, most of Phobos’ code is identical to Dharma’s; it’s basically a cut and paste version of the latter. And, really, why wouldn’t it mimic Dharma? In the cybercrime world, Dharma is probably 2018’s MVP in the ransomware division. Or, at the very least, it’s on the all-star team; it was arguably the most damaging ransomware of the year.

CrySiS

To prevent hurt feelings, the developers of Phobos borrowed from CrySiS, as well. Phobos is so similar to it that anti-virus software often detects Phobos as CrySis. The variants between the two (2) are so slight that many in the security industry refer to them interchangeably. Technically, though, they’re relatives, and are part of the same sinister crime family.

How are they finding victims’ RDP ports?

Sadly, there’s a marketplace for everything, even RDP ports. On underground cybercrime forums, expansive lists of RDP ports are advertised for sale at bargain basement rates. They’ve been collected by attackers via brute-force attacks, or, in many cases, by playing a game of “Guess the RDP Port.”

Secure ports, backup data, repeat often

To help mitigate the risks of falling victim to ransomware, all RDP ports must be secured with passwords. Not doing so means a simple tap on the [enter] key unlock the gate. And, of course, back up data on a regular basis.  

 If you’re already a ransomware victim, you can go to ID Ransomware and upload one (1) of the encrypted, affected files. They’ll tell you which strain you’ve been infected with, and there are probably more than you’d imagined. Currently, ID Ransomware can identify over six hundred (600) different strains of it.

Ransomware is more than locking victims’ files. By the time they realize their files have been locked, the cybercriminals may have been traipsing about networks for weeks or months—maybe longer. The ransomware may simply be their coup de grace, launched only after they’ve downloaded as much of the victim’s information as they deem worthwhile.

They’re Security Experts

To find out how to secure your organization’s network and protect mission critical data, contact GDT’s tenured and talented engineers and security analysts at SOC@GDT.com. From their Security and Network Operations Centers, they manage, monitor and protect the networks of companies of all sizes, including those for some of the most notable enterprises, service providers, healthcare organizations and government agencies in the world. They’d love to hear from you.

If you want more information about network security, check out the following articles:

Last week’s DHS “alert” upgraded to “an emergency directive”

The Collection #1 data breach—sit down first; the numbers are pretty scary

Shutdown affects more than workers

DDoS Attacks will deny a Massachusetts Man Ten (10) years of Freedom

Phishing for Apples

This isn’t fake news

Don’t get blinded by binge-watching

Mo Money, Mo Technology―Taylor Swift uses facial recognition at concerts

Step aside all ye crimes—there’s a new king in town

Q & A for a Q & A website: Quora, what happened?

They were discovered on Google Play, but this is no game

And in this corner…

Elections are in, but there’s one (1) tally that remains to be counted

Hiring A Hacker Probably Shouldn’t Be Part of Your Business Plan

Gen V

Sexy, yes, but potentially dangerous

Tetration—you should know its meaning

It’s in their DNA

When SOC plays second fiddle to NOC, you could be in for an expensive tune

How to protect against Ransomware

]]>

Subscribe to our Newsletter

WordPress Image Lightbox