Beware of the Imposter: Phobos Ransomware Poses as VX-Underground

In the ever-evolving landscape of cybersecurity threats, ransomware remains a persistent and formidable adversary. Recently, Qualys Threat Research uncovered a cunning tactic employed by the Phobos ransomware family. This malicious software, known for its relentless encryption of victims’ data, has taken to masquerading as VX-Underground, a reputable open-source community dedicated to combatting malware.

The Phobos ransomware disguises itself as AntiRecuvaAndDB.exe, a seemingly harmless file associated with Recuva, a popular data recovery tool. This deceptive approach lulls unsuspecting users into a false sense of security, allowing the ransomware to infiltrate their systems undetected.

To further conceal its presence, the Phobos ransomware employs UPX Packer, a tool commonly used to compress executable files. This technique makes it more challenging for security solutions to identify and neutralize the threat.

Upon unpacking the Phobos ransomware, its true nature becomes evident. The malware exhibits clear indicators linking it to the CrySIS and Dharma malware families, both notorious for their destructive capabilities.

Phobos ransomware demonstrates a meticulous approach to its malicious operations. It checks for the presence of Cyrillic alphabets on the infected system and halts execution if detected. This tactic is likely intended to avoid compromising Russian-language systems, potentially due to the malware’s origin or the threat actors’ strategic considerations.

Before embarking on its encryption spree, Phobos ransomware actively terminates a list of specific processes, including those associated with antivirus software and data backup tools. This ruthless act aims to eliminate any potential obstacles that could hinder its data-holding scheme.

In a bid to prevent victims from restoring their files from backups, Phobos ransomware executes commands to delete shadow copies and disable Windows Recovery features. These actions leave victims with limited options for retrieving their data without succumbing to the ransom demands.

To further solidify its hold on the compromised system, Phobos ransomware disables Windows Firewall, rendering the system more vulnerable to subsequent attacks. This tactic highlights the malware’s intent to maintain control and maximize its impact.

Impersonating Ransom Pop-Up | Image: Qualys Threat Research

Once the encryption process is complete, Phobos ransomware leaves its mark by appending the “.VXUG” extension to encrypted files. This extension, resembling the abbreviation for VX-Underground, serves as a deceptive signature, furthering the malware’s masquerade.

To ensure its longevity, Phobos ransomware replicates its executable file in the Startup directory and modifies the Run registry key. These actions ensure that the malware resurfaces upon the system restarts, perpetuating its hold on the infected system.

To heighten the victim’s distress, Phobos ransomware distributes ransom notes in both HTA and TXT formats. The HTA version appears as a pop-up, injecting a sense of urgency and prompting the victim to act swiftly.

Text Ransom Note | Image: Qualys Threat Research

The Phobos ransomware’s ability to impersonate VX-Underground underscores the ever-evolving tactics employed by cybercriminals. Organizations and individuals must remain vigilant, employing robust cybersecurity measures to safeguard their data. Regular backups, up-to-date security software, and employee education are crucial in mitigating the risk of ransomware attacks. By staying informed and adopting proactive measures, we can remain one step ahead of these evolving threats and protect our valuable data from the clutches of ransomware.