Also known as: win.phobos, Trojan-Ransom.Win32.Phobos
Variants: Eking, Eight, Elbie, Devos, Faust
Damage potential: Loss of sensitive data, loss of operations, data leaked to the public, fines for a data breach, money lost to ransom, stolen credentials
Phobos is a family of ransomware that emerged as the successor to Dharma ransomware in 2018. Phobos exploits the vulnerabilities of the Remote Desktop Protocol (RDP) to target the Windows servers of small to medium-sized organizations. Compared to other ransomware strains, hackers using Phobos usually request relatively modest ransom payments (around $18,700 on average according to 2023 data). Because of its simplicity, Phobos is a popular ransomware-as-a-service (RaaS) tool for hackers with limited technical ability.
Upon successfully encrypting the victim’s data, Phobos announces itself by launching an HTML version of its ransom note, which includes details on how to contact the hackers and what the consequences of refusal will be. The victim’s data is locked down using AES-256 encryption and renamed to include their unique victim ID, version ID, and extension (such as .HORSEMONEY). Phobos will also delete any discovered backup catalogs, shadow copies, and system snapshots to prevent easy recovery.
Possible indicators of a Phobos infection include:
Your device frequently freezes, stutters, or slows down as Phobos scans local partitions and user shares for files to encrypt.
Your device’s fan seems to be constantly on, even when the device is idle.
Your device periodically sends data to unknown remote servers (Phobos is sending copies of ransomed data to its control servers). However, be aware that Phobos can encrypt files even without an active internet connection.
Sources of infection
Phobos usually enters Windows systems by exploiting the RDP, either by levering stolen (or brute forced) credentials or by sneaking in through open port 3389. Less frequently, hackers use phishing emails with infected attachments to compromise the victim’s device. In both cases, once the malware has infected the victim’s device, it can use the RDP to move laterally within the system and gain access to sensitive information.
Your device may also get infected with Phobos from:
Infected files shared through messaging platforms.
Infected files downloaded from cloud storage or online repositories.
Other viruses that drop Phobos as part of their operations.
Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
Peer-to-peer (P2P) sharing of infected files.
Infected external devices, such as hard drives or USB sticks.
The first step to protecting yourself against Phobos ransomware is closing off port 3389, which Phobos can use to enter the system. If you are using the RDP, make sure you download the latest security patches as soon as they’re released. Furthermore, because Phobos may also be spread through phishing emails, you must always practice good cyber hygiene — learn to identify phishing attempts and never click on suspicious attachments.
You can also take these other protective measures:
Use NordPass to automatically generate, store, and safely fill in complex passwords for your accounts. Strong credentials will prevent hackers from brute forcing their way in.
Use multi-factor authentication to protect your accounts in the event that someone steals your password.
Use NordLocker to regularly back up your files in the cloud. Having secure backups on hand lets you wipe your system and recover your assets without paying the ransom.
Use email scanning tools to identify and automatically block messages with suspicious attachments.
Avoid potentially dangerous websites like dark web pages or torrent repositories. In certain situations, these websites may attempt to download malware (including Phobos) to your device by exploiting vulnerabilities.
Update your software and operating system to close off vulnerabilities that could be exploited by hackers.
Use NordVPN’s Threat Protection to scan programs and files for malware while they’re being downloaded. Threat Protection will also alert you if you’re about to enter a known infected website to prevent drive-by download attacks.
In the early stages of infection, Phobos may be removed using reliable antivirus software (manual removal will not work because Phobos deploys persistence mechanisms to relaunch itself after a reboot). Once a ransom note has been posted, however, trying to remove Phobos may delete the ransomed data — at this stage, you need to isolate the infected system and perform a factory reset (or a clean installation) to prevent the recurrence of Phobos.