Phobos Ransomware Distributed by Dharma Crew

Phobos Ransomware, A Combo of CrySiS and Dharma

A new strain of ransomware has been impacting businesses globally since mid December.  The ransomware, dubbed Phobos by the distributors (possibly after the greek god of fear), shares both technical and operational similarities to several recent Dharma variants.  The attack vectors being leveraged by Phobos distributors are well worn, open or weakly secured RDP ports. As usual, the attacks are exacerbated when companies either have no backups, or have not properly partitioned them from the network with strong administrative controls.  

Rebranded Dharma Ransom Note and Same Encrypted File Extension Format

Most ransomware leaves behind an obvious ransom note so that the victim can find it and contact the hacker. Typically, these notes vary significantly depending upon the ransomware strain. However, both Dharma and Phobos use the same ransom note. The only observable difference is that Phobos added a bit of branding to the top and bottom as seen in the below image.

Phobos Ransomware Note is similar to a Dharma Note

Phobos Ransomware Note is similar to a Dharma Note

Other than that, the text and composition is identical.  The encrypted file name format is also the same as Dharma variants. It is constructed by concatenating the original file name, a unique ID number, hacker email, and the .phobos file extension.

Emails Offer Security Advice when Paying for Decryption Keys

When a victim of ransomware contacts the email address in the ransom notice to negotiate, the first response elicited is often a cut and paste standard response. The first response from Phobos is a verbatim match to first responses of several Dharma variants including .bip, .gamma, and .adobe.  This group’s first responses are unique in that they offer a friendly ‘upsell’, in addition to extorting the victim for safe decryption of data.

“we also offer service to you. full of advice for protecting against attacks? – the price of 0.1 BTC, and remember our work is very hard. and it requires a lot of time and costs.”

The above phrase is at the end of the first response email, and offers security advice for the low low price of 0.1 BTC.  This phrase has been consistent across Dharma variants and Phobos. To our knowledge, no one has taken them up on this generous offer.  

Technically, Phobos Ransomware is only Slightly Different from Dharma

Topically, Phobos appears to a largely cut+paste variant of Dharma.. However, from a technical perspective, Phobos carries some subtle differences from active Dharma variants. Both type of ransomware draw their lines from the CySis ransomware family and commonly used AV software will identify a Phobos executable sample as CrySis. The differences observed in a  recent analysis by @Demonslay335 note that the file marker structure of Phobos is significantly different from Dharma variants. What is clear is that while the ransomware type may be different, the group distributing Phobos, the exploit methods, ransom notes and communications remain the nearly identical to Dharma.

*** This is a Security Bloggers Network syndicated blog from Blog | Latest Ransomware News and Trends | Coveware authored by Bill Siegel. Read the original post at:

Avatar photo

Bill Siegel

Bill Siegel is the CEO and Co-founder of Coveware, a ransomware incident response firm. Before founding Coveware, Bill Siegel was the CFO of SecurityScorecard, a NY based cyber security ratings company. Prior to SecurityScorecard, Bill was the CEO of Secondmarket, and served as the Head of NASDAQ Private Market following Nasdaq’s acquisition of SecondMarket in 2015.

bill-siegel has 72 posts and counting.See all posts by bill-siegel