Newly discovered Phobos Ransomware shares similarities with Dharma ransomware

• Phobos ransomware is distributed by the threat actor group behind Dharma ransomware.
• Phobos ransomware exploits weak RDP ports to sneak inside networks and execute a ransomware attack.

A new strain of ransomware dubbed Phobos has been spotted targeting businesses worldwide since mid-December. This ransomware shares similarity with Dharma ransomware. Like Dharma, Phobos ransomware exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack.

Similarities with Dharma ransomware

Researchers from CoveWare described the similarities between Phobos and Dharma ransomware in a blog. The researchers explained that, just like Dharma, Phobos ransomware also exploits weak Remote Desktop Protocol (RDP) ports to slide inside networks and execute a ransomware attack. It encrypts files with a .phobos extension and demands a ransom payment in bitcoin for decrypting the files.

Both Phobos and Dharma use the same ransom note, however, Phobos ransomware adds its name ‘Phobos’ to the top and bottom of the ransom note. Otherwise, the text, code, and composition are identical to Dharma including the encrypted file name format.

“Both types of ransomware draw their lines from the CrySis ransomware family and commonly used AV software will identify a Phobos executable sample as CrySis,” researchers wrote in the blog.

Researchers describe this as ‘largely cut and paste variant of Dharma’. The slight difference researchers noted is that the file marker structure of Phobos is different from Dharma variants. Moreover, researchers suspect that Phobos ransomware is distributed by the threat actor group behind Dharma ransomware.

“What is clear is that while the ransomware type may be different, the group distributing Phobos, the exploit methods, ransom notes, and communications remain nearly identical to Dharma, researchers concluded.

Recommendations

• Organizations can protect themselves from ransomware attacks by securing their RDP ports as Phobos ransomware and other Dharma variants primarily distribute by exploiting weak RDP ports.
• Also, it is recommended to regularly backup data, so that, in case of ransomware attack, it's possible to restore systems without paying the ransom.