Apparently, cyber attackers also consider imitation to be the sincerest form of flattery

Cyber attackers

An ambitious, but apparently unoriginal, cybercrime gang is taking responsibility for a rash of malware attacks that began just prior to the Christmas holidays. They’ve named it Phobos, ostensibly taken from the name given to the personification of fear in Greek mythology. Apparently, fear wasn’t granted god status by the ancient Greeks.

The gang, which apparently forgot to name itself, was inspired by two (2) earlier and very prolific attacks: Dharma and CrySiS, the origin and meaning of its name pretty self-explanatory. But it’s obvious to the security professionals that the gang is only flattering itself—they have no doubt that the same band of reprobates is behind all three (3) attacks.

Dharma

Like Dharma, Phobos preys on open or poorly secured RDP (Remote Desktop Protocol) ports. From these weakened RDPs, Phobos sneaks and slithers into networks and launches the ransomware attack, where it begins encrypting files. It can affect files on local, mapped network and virtual machine drives.

Because it’s called ransomware, victims are soon left with this decision—should I, or shouldn’t I, pay to access my affected files, which will be locked with the .phobos extension. And, as it usually the case, they want payment in Bitcoin, the currency of choice for launchers of ransomware. (Here’s a not-so-subtle tip: DON’T PAY. It only supports and exacerbates the crime.)

It’s obvious that Phobos is Dharma-inspired—the ransom note appears exactly like the one (1) that was used by Dharma, text and typeface, and all. In addition, most of Phobos’ code is identical to Dharma’s; it’s basically a cut and paste version of the latter. And, really, why wouldn’t it mimic Dharma? In the cybercrime world, Dharma is probably 2018’s MVP in the ransomware division. Or, at the very least, it’s on the all-star team; it was arguably the most damaging ransomware of the year.

CrySiS

To prevent hurt feelings, the developers of Phobos borrowed from CrySiS, as well. Phobos is so similar to it that anti-virus software often detects Phobos as CrySis. The variants between the two (2) are so slight that many in the security industry refer to them interchangeably. Technically, though, they’re relatives, and are part of the same sinister crime family.

How are they finding victims’ RDP ports?

Sadly, there’s a marketplace for everything, even RDP ports. On underground cybercrime forums, expansive lists of RDP ports are advertised for sale at bargain basement rates. They’ve been collected by attackers via brute-force attacks, or, in many cases, by playing a game of “Guess the RDP Port.”

Secure ports, backup data, repeat often

To help mitigate the risks of falling victim to ransomware, all RDP ports must be secured with passwords. Not doing so means a simple tap on the [enter] key unlock the gate. And, of course, back up data on a regular basis.  

 If you’re already a ransomware victim, you can go to ID Ransomware and upload one (1) of the encrypted, affected files. They’ll tell you which strain you’ve been infected with, and there are probably more than you’d imagined. Currently, ID Ransomware can identify over six hundred (600) different strains of it.

Ransomware is more than locking victims’ files. By the time they realize their files have been locked, the cybercriminals may have been traipsing about networks for weeks or months—maybe longer. The ransomware may simply be their coup de grace, launched only after they’ve downloaded as much of the victim’s information as they deem worthwhile.

They’re Security Experts

To find out how to secure your organization’s network and protect mission critical data, contact GDT’s tenured and talented engineers and security analysts at SOC@GDT.com. From their Security and Network Operations Centers, they manage, monitor and protect the networks of companies of all sizes, including those for some of the most notable enterprises, service providers, healthcare organizations and government agencies in the world. They’d love to hear from you.

Author

Share this article

You might also like:

Are your security tools working for you? Choosing the right tools plays a critical role in your organization’s success. But the unfortunate reality is that selecting, implementing, and integrating tools is easier in theory than in practice. All too often, I see organizations juggling disconnected tools, drowning in alerts, and

I recently attended the HIMSS conference, and unsurprisingly, the primary topic of discussion centered on AI. The big question on everyone’s minds: What is agentic AI, and how is it being used in the healthcare industry? AI integration is becoming increasingly crucial in healthcare, particularly for automating workflows and enhancing

As businesses look to boost productivity, many are turning to Microsoft Copilot. This AI-powered productivity capability is embedded into Microsoft 365 applications like Word, Excel, and PowerPoint, tools most employees already know. This familiarity promises a more friction-free experience from an employee onboarding perspective. When implemented successfully, it can automate