Slashdot Mirror
New Phobos Ransomware Exploits Weak Security To Hit Targets Around the World (zdnet.com)
An anonymous reader quotes a report from ZDNet: A prolific cybercrime gang behind a series of ransomware attacks is distributing a new form of the file-encrypting malware which combines two well known and successful variants in a series of attacks against businesses around the world. Dubbed Phobos by its creators, the ransomware first emerged in December and researchers at CoveWare have detailed how it shares a number of similarities with Dharma ransomware.
Like Dharma, Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demands a ransom to be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension. The demand is made in a ransom note -- and aside from 'Phobos' logos being added to the ransom note, it's exactly the same as the note used by Dharma, with the same typeface and text use throughout. Phobos is being distributed by the gang behind Dharma and likely serves as an insurance policy for malicious campaigns, providing attackers with a second option for conducting attacks, should Dharma end up decrypted or prevented from successfully extorting ransoms from victims.
Like Dharma, Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demands a ransom to be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension. The demand is made in a ransom note -- and aside from 'Phobos' logos being added to the ransom note, it's exactly the same as the note used by Dharma, with the same typeface and text use throughout. Phobos is being distributed by the gang behind Dharma and likely serves as an insurance policy for malicious campaigns, providing attackers with a second option for conducting attacks, should Dharma end up decrypted or prevented from successfully extorting ransoms from victims.
Yeah ransomware will encrypt any file shares it can, so push backups are no good. Actual live bad guys also shouldn't have write access to your backups, so pull it is.
Also, I don't want to rely on the box to back itself up because that requires assuming that all of the machines getting backed up are always working correctly. If we're going to assume the computers never have problems, we wouldn't need to back them up in the first place. I prefer the backup system runs on one dedicated system. Additionally that has other benefits, like you don't have 100 machines all trying to push their backups all at once. The backup machine can pull them a few a time, getting each one done more quickly. At least that's how I wrote Clonebox.
Unfortunately for people concerned with Windows ransomware, Clonebox was/is another pull option for *Linux*. There are a few good options I know of, but they are all for Linux/ BSD. That'll work if your Windows is a VM running on a *nix platform. Theoretically the systems made for *nix would work for backing up files from Windows using Windows Subsystem for Linux. The backups probably wouldn't be bootable like they are for Linux, you'd have to restore the files after a fresh install of Windows. That's a reasonable approach, though. About 10 years behind what you can do with Linux, but 10 years behind is about average for Windows when it comes to system capabilities (as opposed to applications).