2 min read

New Phobos Ransomware Variant Impersonates VX-Underground


November 21, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
New Phobos Ransomware Variant Impersonates VX-Underground

Researchers recently uncovered a new variant of the notorious Phobos ransomware. This latest iteration sets itself apart by attempting to frame the well-known malware-sharing collective VX-Underground.

Experts believe this deceit is meant to throw victims and cybersecurity investigators off the trail of the true culprits.

Phobos Ransomware's Evolution

Launched in 2018, Phobos is thought to have evolved from the Crysis ransomware family. The operation is split into two groups: one that holds the master decryption key and manages the ransomware's development and another consisting of affiliates responsible for breaching networks and encrypting devices.

While Phobos has been active for several years, it has yet to achieve the notoriety or success of other major ransomware operations, often refraining from high-profile attacks or exorbitant ransom demands.

VX-Underground Framed in New Variant

The latest discovery, by a ransomware hunter known as PCrisk, reveals a novel Phobos variant that specifically frames VX-Underground.

During encryption, this variant appends a unique suffix to files, .id[[unique_id].[[email protected]].VXUG, directly implicating VX-Underground. Additionally, ransom notes placed on infected machines further attempt to mislead victims into believing VX-Underground is responsible.

Ransom Note Contents

The ransom note, titled Buy Black Mass Volume II.txt, playfully references VX-Underground's Black Mass book. The note states:

!!! All of your files are encrypted !!!
To decrypt them send e-mail to this address: [email protected].
If we don't answer in 48h., send message to this twitter: @vxunderground
and no the decryption password is not 'infected'.

A secondary HTA file with the same name carries a standard Phobos ransom note but is customized with VX-Underground's logo and contact information, furthering the illusion.

Recommendations for Ransomware Prevention

Implementing robust cybersecurity practices is strongly recommended to defend against ransomware and other digital threats. These include regularly updating software and operating systems, using dedicated security software such as Bitdefender Ultimate Security, and educating employees about phishing and other common attack vectors.

Regular backups of critical data, preferably offsite or in a secure cloud environment, are also crucial for recovery after an attack. Vigilance and proactive security measures are critical to safeguarding against evolving digital threats.




Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.

View all posts

You might also like