Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Dharma Gang Pushes Phobos Crypto-Locking Ransomware

Also, Adware Installers Sneak STOP Ransomware Onto Systems
Dharma Gang Pushes Phobos Crypto-Locking Ransomware
Ransom note dropped by Phobos crypto-locking ransomware (Source: Coveware)

New strains of ransomware are being distributed by attackers who gain remote access to organizations' networks, as well as via sites that share cracked versions of commercial software.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

In particular, attackers are using easily available lists of stolen or hacked remote desktop protocol credentials to remotely access enterprise networks and infect PCs, network shares and virtual drives with Phobos ransomware, security researchers warn. In addition, a new strain of STOP ransomware continues to be distributed via adware bundles available from multiple "cracked software" sites.

Reports into the new ransomware follow warnings from security researchers that prolific GandCrab malware, which is distributed as a ransomware-as-a-service offering, have once again spiked following a December 2018 lull.

While many malware-using attackers have dropped ransomware in favor of cryptocurrency miners, which steal CPUs to "mine" for cryptocurrency, many gangs are continue to distribute ransomware. Sometimes, crypto-locking ransomware gets pushed via malware "droppers" that install it as a final stage of an attack that begins with a miner.

ID Ransomware, a site which allows ransomware victims to upload an encrypted file to help identify which strain of ransomware crypto-locked their files, now counts 673 strains of ransomware, including Anatova, Aurora, Bitpaymer, Ryuk, STOP and XCry, among many others. That's a notable increase from the 631 strains the site catalogued as of September 2018 (see: Obama-Themed Ransomware Also Mines for Monero).

But malware researcher Michael Gillespie (@demonslay335), who runs the ID Ransomware site, says the list isn't meant to be exhaustive. For example, he doesn't count every new variant of Hidden Tear - which was open source code released by a researcher who claimed to want to see how ransomware worked - unless it includes major new functionality.

Phobos Ransomware

On the ID Ransomware list, however, is a new strain of crypto-locking malware called Phobos - likely after the Greek god of fear. It's been hitting organizations since the middle of last month, ransomware response firm Coveware warns, noting that the ransomware appears to be extremely similar to Dharma.

Dharma includes the ability to crypto-lock files on a local drive, as well as mapped network drives, unmapped network shares and virtual machine drives (see: Scotland's Arran Brewery Slammed by Dharma Bip Ransomware).

Dharma, meanwhile, is turn based on CrySiS. In fact, many anti-virus engines continue to detect Phobos and Dharma as CrySiS, which ransomware trackers say continues to be one of the most-seen strains of crypto-locking malware (see: Ransomware Keeps Ringing in Profits for Cybercrime Rings).

Installed via RDP

Some ransomware ends up on systems as a result of spam or phishing attacks. But to infect systems with Phobos, distributors look to be accessing "well worn, open or weakly secured RDP ports," Coveware says. "As usual, the attacks are exacerbated when companies either have no backups, or have not properly partitioned them from the network with strong administrative controls."

Lists of RDP ports can be purchased inexpensively on underground cybercrime forums, often compiled by attackers who guess or brute-force attack RDP-using organizations. These credentials may be sold to multiple waves of users, starting with attackers who look for sensitive data such as payment card numbers, and ending with less advanced attackers who install cryptocurrency miners or crypto-locking malware. As a result, by the time an organization finds that its files have been forcibly encrypted and a ransom note left, attackers may have already been inside its networks for weeks or months, having already grabbed everything else of potential value (see: Cybercrime Markets Sell Access to Hacked Sites, Databases).

The ransom note left by Phobos after it crypto-locks files is identical to the Dharma ransom note except for having the word "Phobos" added to the top, Coveware says.

Anyone who contacts the email address in the ransom note - identical to the note used by the distributors of the .bip, .gamma and .adobe. variants of Dharma - that offers to not only unlock their files but tries to upsell them with additional security advice:

"we also offer service to you. full of advice for protecting against attacks? - the price of 0.1 BTC, and remember our work is very hard. and it requires a lot of time and costs."

Currently, 0.1 bitcoin is worth $350.

The file-naming scheme for Phobos differs from other Dharma variants, ID Ransomware's Gillespie reports. Even so, "the group distributing Phobos, the exploit methods, ransom notes and communications remain the nearly identical to Dharma," Coveware says, suggesting that it's the work of the same gang.

Adware Bundle Installs Ransomware

Ransomware watchers are also warning that infections involving a new variant of STOP ransomware have spiked.

Fake Windows installer that instead infects a system with STOP ransomware (Source: ID Ransomware)

In 2017, ID Ransomware warned that since mid-2017, STOP ransomware, perhaps being distributed from Ukraine, was using AES encryption to crypto-lock systems and then demanding the bitcoin equivalent of $200 to $600 for a decryption key. Crypto-locked files had ".stop" added to the end of their filename.

The ransomware was being distributed in part via free installers for "cracked" versions of software, including "repackaged and infected installers of popular programs, pirated activators of Microsoft Windows and Microsoft Office," ID Ransomware warned. Security experts say these free installers often get distributed via "free" adware bundles that cracked site administrators often use to monetize their sites.

Now, a new version of STOP ransomware has recently been added to adware bundles.

"These bundles will normally install unwanted extensions, adware, clickers, and miners, but one bundler appears to be turning a blind eye and has started distributing the STOP ransomware as well," Bleeping Computer reports, noting that it's been added to installers being offered via multiple sites that supposedly contain free versions or cracks for such software as Cubase, KMSPico, Photoshop and various types of anti-virus software.

Files crypto-locked by the latest version of STOP ransomware will have a .rumba extension added to the filename.

Anti-virus engines sometimes flag these unwanted add-ons as malware and block it completely, while for others, it falls into a category often dubbed as "potentially unwanted products." Security experts say the best approach is to avoid these types of bundles or installers altogether (see: Malware Moves: Attackers Retool for Cryptocurrency Theft).

The "_openme.txt" file containing a ransom note left on systems that have been crypto-locked by the .rumba version of STOP ransomware (Source: ID Ransomware)

Anyone infected by STOP ransomware might be able to recover their files for free, thanks to a decryptor that's been built by ID Ransomware's Gillespie. Anyone whose files were crypto-locked while their system was offline have a greater chance of success, because the malware is designed to use a hardcoded encryption key if it's not able to "phone home" to its command-and-control servers.

Gillespie says he's cataloged victims of the recent version of STOP Ransomware in Brazil, Chile, Ecuador, Egypt, Germany, Greece, Hungary, Indonesia, Poland, Thailand, Turkey and Venezuela.

Recent versions of the ransom demand a ransom payment worth $980 bitcoins, but as with previous versions, offer a 50 percent discount of victims contact the ransomware gang within 72 hours of being infected.

Security experts continue to urge organizations and individuals to avoid paying a ransom whenever possible, warning that doing so directly funds cybercrime and further ransomware attacks (see: Ransomware Claims to Fund Child Cancer Treatments).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.