Good day, welcome to another bulletin from Breaking Scams…
Scam, just in…
The word “Phobos” is Greek for fear and it is the word we derive ‘phobic’ from. It is also the name of one of the two moons that orbit Mars. So, it is very fitting that this Greek word for fear is the new name for a ransomware scam that has been hitting our computer screens lately.
Ransomware is bad, as in really bad. If you get infected by this malware it encrypts all of your files, not just on the infected computer, but across your network, even out into Cloud repositories.
During January 2019, Phobos ransomware has been specifically targeting users in Western Europe. The ransomware variant called Phobos originated back in 2017. However, a new version of Phobos has arrived to welcome in the new year.
Reports of the entry point of infection are either via phishing email or using insecure RDP ports – used when running various Microsoft services like remote desktops. The 2019 version of Phobos ransomware seems to be targeting poorly secured RDP ports. These ports are being accessed because of weak or illegally obtained login credentials. A news report by BankInfoSecurity demonstrated how easily cybercriminals can purchase RDP credentials.
It is also worth noting that ransomware, including Phobos ransomware, can be spread in an attachment, usually a Word document with enabled macros. If you open the document, the macros run the software code that installs the ransomware. So also, be aware that Phobos ransomware (and other variants) can enter your organisation via email too).
How To Prevent The Damage of a Ransomware Infection
There are several ways to help to prevent your organisation from becoming a ransomware victim:
- Use security awareness training to teach your staff how to spot a phishing email
- Use security measures to secure your RDP ports – this usually means:
- Using robust authentication and strong passwords
- Change the RDP port to a non-default port
- Make sure Network Level Authentication is on
- Use good backup software that is ransomware resistant
What to Do If You See A Ransomware Screen?
If you do become infected by Phobos ransomware you will see a pop-up dialog screen appear on the infected computer(s). This screen will tell you that your files are encrypted. It will also tell you to contact the perpetrators via email. You will then be asked to supply payment in bitcoin.
Also, as a ‘nice gesture,’ the cybercriminal behind the scam may offer to decrypt up to 5 files free of charge. How kind of the cybercriminal. DO NOT send them any files – you will not only be playing into their hands, but you will be giving them your company private information. Even files that seem innocuous will contain metadata with the personal details of the author(s).
The general advice from organisations like the UK’s National Crime Agency is to NOT pay the ransom. Even if you do, there is no guarantee you will get the decryption code needed to decrypt your files.
If you are a victim of Phobos or any other type of ransomware, we can put you in touch with one of our trusted partners, so don’t hesitate to get in touch.
Why not help your colleagues in infosec stay safe and share this post – or, alternatively, feel free to copy and paste the below for sharing:
Phobos Ransomware Scams
Phobos ransomware encrypts your files if you become infected. It then demands payment, in bitcoin, to decrypt the files. If you see a Phobos ransomware, or any other ransomware screen pop-up on your computer demanding payment to decrypt files:
DO NOT pay the ransom or use the email address given on screen to contact the cybercriminal.
If you are affected by ransomware, please contact your [IT Department/Supplier immediately via [insert contact details].