A new strain of ransomware known as “Phobos” is using the same ransom note employed by Dharma to demand payment from its victims.
Ransomware incident response provider Coveware found that Phobos’ ransom message differs from Dharma’s only in the branding used for its header and footer. Otherwise, the notes are exactly the same.
Both crypto-malware strains also use the same encrypted file name format. They each incorporate the original file name, a unique ID number and an attacker’s email to construct encrypted file names. Phobos’ note ends this name with the .phobos file extension, while Dharma is known to have leveraged numerous file extensions including .xxxxx, .like., .java, .bip, .combo, .arrow, .arena and .gamma.
That’s not the only similarity Phobos shares with Dharma, either. The two ransomware families use the same cut-and-paste response when a victim first contacts the digital attackers using an email address provided in the ransom note. Additionally, both of the emails offer a unique “service” to its victims in order to make even more money from potential victims. As quoted by Coveware in a blog post:
we also offer service to you. full of advice for protecting against attacks? – the price of 0.1 BTC, and remember our work is very hard. and it requires a lot of time and costs.
To Coveware’s knowledge, no victim has taken up the attackers on this offer as of yet.
The two ransomware families do differ from one another in some respects, however. As noted by ransomware researcher Michael Gillespie on Bleeping Computer’s support forums, the filemakers for the two crypto-malware strains do in fact differ in structure.
Phobos has been active since mid-December 2018, and it’s likely this threat will remain active as 2019 wears on. Recognizing this likelihood, it’s important that organizations protect themselves against new and old ransomware strains. Here are some expert tips that they can use to prevent an infection.