Researchers recently uncovered a new variant of the notorious Phobos ransomware. This latest iteration sets itself apart by attempting to frame the well-known malware-sharing collective VX-Underground.
Experts believe this deceit is meant to throw victims and cybersecurity investigators off the trail of the true culprits.
Launched in 2018, Phobos is thought to have evolved from the Crysis ransomware family. The operation is split into two groups: one that holds the master decryption key and manages the ransomware's development and another consisting of affiliates responsible for breaching networks and encrypting devices.
While Phobos has been active for several years, it has yet to achieve the notoriety or success of other major ransomware operations, often refraining from high-profile attacks or exorbitant ransom demands.
The latest discovery, by a ransomware hunter known as PCrisk, reveals a novel Phobos variant that specifically frames VX-Underground.
During encryption, this variant appends a unique suffix to files,
.id[[unique_id].[[email protected]].VXUG, directly implicating VX-Underground. Additionally, ransom notes placed on infected machines further attempt to mislead victims into believing VX-Underground is responsible.
The ransom note, titled
Buy Black Mass Volume II.txt, playfully references VX-Underground's Black Mass book. The note states:
!!! All of your files are encrypted !!!
To decrypt them send e-mail to this address: [email protected].
If we don't answer in 48h., send message to this twitter: @vxunderground
and no the decryption password is not 'infected'.
A secondary HTA file with the same name carries a standard Phobos ransom note but is customized with VX-Underground's logo and contact information, furthering the illusion.
Implementing robust cybersecurity practices is strongly recommended to defend against ransomware and other digital threats. These include regularly updating software and operating systems, using dedicated security software such as Bitdefender Ultimate Security, and educating employees about phishing and other common attack vectors.
Regular backups of critical data, preferably offsite or in a secure cloud environment, are also crucial for recovery after an attack. Vigilance and proactive security measures are critical to safeguarding against evolving digital threats.