In an unusual twist, it’s not actually the ransomware itself that makes the newer forms of Phobos so frightening; it’s the people behind the attacks that will have you worried.
The Phobos family of ransomware has been around since late 2017 and has morphed into a few strains, always targeting larger organizations in hopes of taking home a bigger payout. It works to kill processes that may pose a threat, deletes Volume Shadow copies, disables Windows firewall, and even prevents systems from booting into recovery mode.
But that’s not the scary part.
The real frightening part of Phobos is how it’s distributed today. Sold in a Ransomware-as-a-Service business model, malware researchers have noted that those using Phobos today are not as organized and less professional than cybercriminal organizations that build and distribute their own ransomware.
What does this have to do with your organization? Plenty. It usually means it may take longer to negotiate ransoms (should you choose to pay), and potential issues around the decryption of ransomed files and systems. Think about it: the person (or persons) responsible for the specific attack on your organization have no control over the malware used as part of the attack; they need to go back to the organization they are using to retrieve decryption keys and instructions.
With email still being a primary attack vector, the need to trick users into clicking on malicious attachments and links is necessary. Users that undergo Security Awareness Training are better prepared to augment the organization’s security posture by identifying malicious emails for what they are and failing to engage with them to allow Phobos to install and begin wreaking havoc.