New Phobos Ransomware Exploits Weak Security To Hit Targets Around the World

An anonymous reader quotes a report from ZDNet: A prolific cybercrime gang behind a series of ransomware attacks is distributing a new form of the file-encrypting malware which combines two well known and successful variants in a series of attacks against businesses around the world. Dubbed Phobos by its creators, the ransomware first emerged in December and researchers at CoveWare have detailed how it shares a number of similarities with Dharma ransomware.

Like Dharma, Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demands a ransom to be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension. The demand is made in a ransom note -- and aside from 'Phobos' logos being added to the ransom note, it's exactly the same as the note used by Dharma, with the same typeface and text use throughout. Phobos is being distributed by the gang behind Dharma and likely serves as an insurance policy for malicious campaigns, providing attackers with a second option for conducting attacks, should Dharma end up decrypted or prevented from successfully extorting ransoms from victims.

Typical!

[nightfire-unique]

Another malware author who rudely refuses to build a Linux port!

Re:Windows only. Check.

[c-A-d]

I just installed windows 10 under virtualbox. Once I installed what I needed, I set it to "host-only" networking. That's how you secure a windows box: keep it off of the internet.

Time for a next gen backup utility?

[ctilsie242]

With all these ransomware products coming out, I've wondered why backup utilities have not evolved much. The ideal backup utility would be one that is "pull" based, where the client machine has zero access to the backup data. The closest would be something like CrashPlan or Mozy that doesn't allow access to the client, and the next closest would be something like Borg Backup backing up to a server in append only mode.

Unlike most IT disasters where backing up to a file share or a S3 bucket is good enough, ransomware means that you have to ensure the client can only append data.

Yep. Options for Linux if your Windows is a VM

[raymorris]

Yeah ransomware will encrypt any file shares it can, so push backups are no good. Actual live bad guys also shouldn't have write access to your backups, so pull it is.

Also, I don't want to rely on the box to back itself up because that requires assuming that all of the machines getting backed up are always working correctly. If we're going to assume the computers never have problems, we wouldn't need to back them up in the first place. I prefer the backup system runs on one dedicated system. Additionally that has other benefits, like you don't have 100 machines all trying to push their backups all at once. The backup machine can pull them a few a time, getting each one done more quickly. At least that's how I wrote Clonebox.

Unfortunately for people concerned with Windows ransomware, Clonebox was/is another pull option for *Linux*. There are a few good options I know of, but they are all for Linux/ BSD. That'll work if your Windows is a VM running on a *nix platform. Theoretically the systems made for *nix would work for backing up files from Windows using Windows Subsystem for Linux. The backups probably wouldn't be bootable like they are for Linux, you'd have to restore the files after a fresh install of Windows. That's a reasonable approach, though. About 10 years behind what you can do with Linux, but 10 years behind is about average for Windows when it comes to system capabilities (as opposed to applications).