Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Phobos Ransomware Exploits Weak Security To Hit Targets Around the World (zdnet.com)

Posted by BeauHD on from the cut-and-paste-ransomware-variants dept.

An anonymous reader quotes a report from ZDNet: A prolific cybercrime gang behind a series of ransomware attacks is distributing a new form of the file-encrypting malware which combines two well known and successful variants in a series of attacks against businesses around the world. Dubbed Phobos by its creators, the ransomware first emerged in December and researchers at CoveWare have detailed how it shares a number of similarities with Dharma ransomware.

Like Dharma, Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demands a ransom to be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension. The demand is made in a ransom note -- and aside from 'Phobos' logos being added to the ransom note, it's exactly the same as the note used by Dharma, with the same typeface and text use throughout. Phobos is being distributed by the gang behind Dharma and likely serves as an insurance policy for malicious campaigns, providing attackers with a second option for conducting attacks, should Dharma end up decrypted or prevented from successfully extorting ransoms from victims.

30 comments

  1. Re: HEIL HITLER! by Anonymous Coward · · Score: 0

    Let us end that nasty oxygen habit you have before it becomes permanent.

  2. Typical! by nightfire-unique · · Score: 3, Funny

    Another malware author who rudely refuses to build a Linux port!

    --
    A government is a body of people notably ungoverned - AC
    1. Re: Typical! by Anonymous Coward · · Score: 0

      Because Linux is gay. Even cybercriminals have standards.

  3. Re:Windows only. Check. by c-A-d · · Score: 2

    I just installed windows 10 under virtualbox. Once I installed what I needed, I set it to "host-only" networking. That's how you secure a windows box: keep it off of the internet.

    --
    some karma... and kinda lukewarm about it.
  4. Time for a next gen backup utility? by ctilsie242 · · Score: 2

    With all these ransomware products coming out, I've wondered why backup utilities have not evolved much. The ideal backup utility would be one that is "pull" based, where the client machine has zero access to the backup data. The closest would be something like CrashPlan or Mozy that doesn't allow access to the client, and the next closest would be something like Borg Backup backing up to a server in append only mode.

    Unlike most IT disasters where backing up to a file share or a S3 bucket is good enough, ransomware means that you have to ensure the client can only append data.

    1. Re:Time for a next gen backup utility? by Bongo · · Score: 1

      Yes I was glad my little solution in the department was to have backup machines do rsync over ssh to pull data off the clients. And for storage put it in ZFS.

    2. Re:Time for a next gen backup utility? by chuckugly · · Score: 1

      Just revert the NAS to the most recent unenciphered snapshot?

  5. Yep. Options for Linux if your Windows is a VM by raymorris · · Score: 3, Informative

    Yeah ransomware will encrypt any file shares it can, so push backups are no good. Actual live bad guys also shouldn't have write access to your backups, so pull it is.

    Also, I don't want to rely on the box to back itself up because that requires assuming that all of the machines getting backed up are always working correctly. If we're going to assume the computers never have problems, we wouldn't need to back them up in the first place. I prefer the backup system runs on one dedicated system. Additionally that has other benefits, like you don't have 100 machines all trying to push their backups all at once. The backup machine can pull them a few a time, getting each one done more quickly. At least that's how I wrote Clonebox.

    Unfortunately for people concerned with Windows ransomware, Clonebox was/is another pull option for *Linux*. There are a few good options I know of, but they are all for Linux/ BSD. That'll work if your Windows is a VM running on a *nix platform. Theoretically the systems made for *nix would work for backing up files from Windows using Windows Subsystem for Linux. The backups probably wouldn't be bootable like they are for Linux, you'd have to restore the files after a fresh install of Windows. That's a reasonable approach, though. About 10 years behind what you can do with Linux, but 10 years behind is about average for Windows when it comes to system capabilities (as opposed to applications).

    1. Re:Yep. Options for Linux if your Windows is a VM by msc.buff · · Score: 1
      I use BackupPC running on a FreeBSD box with ZFS for all my backup needs. Each client gets rsync setup as a service and gets backed up daily. I use cygwin for Windows clients but the configuration is pretty standard from client to client.

      I have a separate FreeBSD box for off-site backups and stream ZFS snapshots from the BackupPC machine weekly. The whole setup has a few manual steps but that keeps me connected to the process and more likely to catch any problems before they get out of control.

  6. Does it hit "targets"? by turbidostato · · Score: 1

    ...or, once again, and I lost the count, does it hit "Windows targets"?

  7. "Pull" is the answer, so is Linux by Anonymous Coward · · Score: 1

    On Unix-based OSes, this is how things have been done for decades.

    $ sudo rdiff-backup --exclude-special-files root@remote:/ /Backups/remote

    This will use an ssh connection to the remote system, connecting as root (need to allow that, but only from the backup server), and "pull" the backups to the backup server. Make "remote" into a variable, add a loop, and you are backing up 20 systems overnight. After the first time, backups generally take 3-6 minutes for each system, depending on changed data amounts.

    Need to remove some older backups as new ones are added.

    $ sudo rdiff-backup --force --remove-older-than 180D /Backups/remote

    There are ways to make this smarter, not bother backing up the core OS, things like that. With this technique, it takes 30-45 min to put system back to the same state, same settings, same applications, and core data. Obviously, if you have 500GB of data, getting all that back takes longer, but the core system would back and available.

    Windows people are so funny. Worrying over trivial things.

    Backups are mostly about dealing with backup storage for Unix people.

    And you don't have to pay for any software and pray that it actually works. Saw a backup validation article a few years ago that showed just over 90% of the Windows backup tools, all paid, didn't actually restore the system to the same state. WTF!!!

    1. Re:"Pull" is the answer, so is Linux by ctilsie242 · · Score: 1

      Technically, UNIX people have been using dump and tar for backups. rdiff-backup is an exception, and there are other utilities like Borg Backup which, when combined with a basic server setup, can ensure that the client can only append. rdiff-backup's downside is that one can erase everything in /Backups/remote.

      We are talking ransomware. In the past, dumping to a NFS volume, zfs send, or chucking data to a server via SSH was good enough. Now, we have to have a barrier in place to prevent clients from overwriting existing backups in case they are compromised. As a stopgap, one can always have a NFS volume that does snapshots, so a backup overwritten can be recovered, but on the long haul, that isn't feasible, especially if ransomware slowly corrupts files over time on the backup server, so the point where things started would be impossible to find.

  8. RDP by jbmartin6 · · Score: 1

    "In its alert, the FBI mentions that the number of computers with an RDP connection left accessible on the Internet has gone up since mid and late 2016." Good grief. Imagine how much worse it would be if we didn't have ransomware authors acting as our chaos monkey.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:RDP by chuckugly · · Score: 1

      That's sort of boggling. If I'm thinking about this correctly, it means that there are people out there who know enough to forward a port or two, but who don't know enough to know that's a bad idea. Wow.

    2. Re:RDP by tlhIngan · · Score: 1

      That's sort of boggling. If I'm thinking about this correctly, it means that there are people out there who know enough to forward a port or two, but who don't know enough to know that's a bad idea. Wow.

      No, it's not amazing or boggling. I can show a clueless newbie how to do something involving ssh if I wanted - all that matters is what the newbie gets out of it. If i tell them it's a way to get unlimited movies and music for free, they'd probably follow my instructions and I can get them to set up ssh-server and all that on Linux.

      It's not hard, as long as they get a payoff they want, and you write baby step clear instructions with plenty of screenshots and all that. You can get them to open ports, use ssh, set up ssh server, etc.

      It's actually got a term for it - Dancing Bunnies (or Dancing Pigs).

      Unless you go with an iOS-like lockdown attitude, no OS is safe.

    3. Re:RDP by chuckugly · · Score: 1

      Still shows a shocking paranoia deficiency to me. Maybe it's just me.

    4. Re:RDP by Anonymous Coward · · Score: 0

      It's port 137 all over again...