Phobos, the Most Common Ransomware affecting Small Business

With increasing cyberattacks day in and out, affecting companies of all sizes around the world, it is safe to say that there is no cybersecurity policy in place to reduce these chances. On the other hand, it is also true that cyberattackers have refined their methodologies, making more sophisticated attacks, and getting successful in breaking secure networks.

With that in mind, we should not forget that cybersecurity is an ever-evolving arms race. Keeping your company secure by installing certain software and hardware is just half the battle. Small businesses are in a space where they become the target of some of the more prolific forms of ransomware out there.

What is Phobos ransomware and why should you even care?

Phobos Ransomware is the most common ransomware variant which a typical small business should be aware of. Most cases of a Phobos attack are carried out through exploitation of remote desktop protocol. There are some instances in which Phobos ransomware can be delivered through the use of social engineering tactics such as email, and social media.

The name Phobos is derived from greek, meaning “fear”, and naturally translating to adding fear and terror among small businesses when their entire data is encrypted using AES 256 bit technology.

How does Phobos ransomware spread?

What makes Phobos unique is that its affiliates primarily employ use of automated tools to find and attack victims. This is much unlike some of the more sophisticated variants such as Sodinokibi and RYUK which pick and choose their victims and tend to dedicate more resources in breaching high value networks.

Generally, a tool is used by Phobos attackers to scan the entire internet with open ports for remote desktop on port 3389. When a network which may be exploitable is found by a global scan, attackers attempt to either use brute force or dictionary attacks against login in an attempt to gain access.

As of late 2019, phobos ransomware has been taking roughly 10% of the global market share of ransomware variants, and often ranked in top 3 attacks used by cyber criminals.

Why is Phobos gaining traction in the dark web?

Ever heard of an affiliate model? This is where affiliates earn a commission for each sale they generate for the business. Well, the same is true for Phobos, which operates on a Ransomware-as-a-Service (RaaS) model.

This eventually translates to the fact that criminals with little to zero technical knowledge of creating a virus can eventually stage somewhat successful attacks, possible through the use of an exploit kit that comes with the ransomware.

Phobos scans your data and encrypts files associated with productivity, such as Office documents, spreadsheets, powerpoint presentations and more. The extensions are renamed to .phobos and you can’t access your data without access to the decryption key.

How do I know I’ve been hit with a Phobos ransomware attack?

Just like any other ransomware, Phobos attacks your system’s core files, removes the ability to recover from backup files, and encrypts the entirety of your data using AES 256 bit military grade encryption.

Here are some indications of a Phobos attack:

  • You are unable to reboot your system
  • Your antivirus is turned off
  • Your computer seems extremely sluggish and barely responds to commands
  • Your firewall is disabled
  • You’re unable to recover from backup files.

What can I do to protect my system from Phobos ransomware?

While there is never a surefire way of remaining 100% safe online, you can definitely minimize your chances of getting compromised. We recommend IT managers and small businesses take the following precautionary measures:

  • Disable access to RDP server 3389 if your organization isn’t using it. The longer it remains open, the greater the chances of an attack
  • Use updated antivirus programs and firewall
  • Keep strong passwords with an uppercase, lowercase, and digits
  • Enforce 2-factor authentication
  • Have an emergency backup plan
  • Use a VPN to access corporate RDPs

Final Thoughts

Phobos is highly dangerous ransomware affecting businesses of all sizes. Hire a cybersecurity company like Beforecrypt.com to develop a comprehensive cybersecurity plan and help in Phobos ransomware recovery.