Rewterz Threat Alert – Phobos Ransomware – Active IOCs

Severity

High

Analysis Summary

Phobos Ransomware is based on the Dharma malware that first appeared at the beginning of 2019. It spreads into several systems via compromised Remote Desktop Protocol (RDP) connections. This malware does not use any UAC bypass methods. Unlike other cybercrime gangs that go after big hunts, Phobos creators go after smaller firms that don’t have sufficient funding to pay massive ransoms. This ransomware usually targets healthcare providers, with victims in the United States, Seychelles, Portugal, Brazil, Indonesia, Germany, Romania, and Japan. Its perpetrators demand a little ransom payment, which appeals to victims and enhances the chances of payment. The average Phobos ransom payment in July 2021 was $54,700.

Impact

• File Encryption
• Data Exfiltration

Indicators of Compromise

MD5

• e8a5392f6773a3cfda23fc0b9ea09749
• 14214f7904102bb6747d0e31a50c08d3

SHA-256

• f25a3e2bbaa9bed0210adf5bff0bc5d76fbf44e09ae4bc22e40473814a6ebad1
• 2dcaca208625860f4eb114af4c4158368284eb99c994793d5ac66d3af654bf5f

SHA1

• 791fa78b31f640830d37ec92bae5dac67b15db9a
• a89974390c9c03495e631f6dca4ae54d044d0941

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.