Shulou(Shulou.com)05/31 Report--

What is the variant analysis report of Phobos blackmail software? aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

I. Overview

A new variant of the Phobos ransomware family, which was discovered in early 2019 and constantly updated with virus variants. This variant was first discovered at the end of September 2019, and its main mode of transmission is RDP brute force cracking and phishing email. This blackmail software variant uses the "RSA+AES" algorithm to encrypt files, and there is no decryption tool for the time being. After the program runs, it encrypts not only the document file but also the executable file, and creates two types of blackmail letters after encryption, one in txt format and the other in hta format. Phobos blackmail software family has spread in many industries around the world, with large infection area and frequent variants updating.

Our analysis shows that the Phobos ransomware family and the CrySIS/Dharma ransomware family that appeared in 2016 use similar encryption methods, some code snippets, the appearance and content of blackmail letters, and the naming methods used to encrypt files. It is not precluded from purchasing and using Phobos ransomware related code for the same author or CrySIS/Dharma ransomware attackers.

It has been proved that IEP can detect and kill and effectively protect the variants of Phobos blackmail software family.

II. Overview of Phobos ransomware

Table 2 1 Overview of new variants of Phobos ransomware

Communication mode RDP (remote Desktop Control Protocol) brute force cracking, phishing mail encryption file naming method + contact method butters.felicio@aol.com encryption file type all file formats extortion currency and amount Bitcoin (the actual amount is known after communicating with the attacker through the mailbox) whether it is targeted, whether it can not be decrypted temporarily can not be decrypted whether the intranet propagation blackmail interface 2.1 Phobos blackmail software family history

The Phobos ransomware family has been popular all over the world since the beginning of 2019, and has been continuously updated so that there are a large number of variants. Through RDP brute force cracking and phishing email and other ways spread to enterprises and individual users, the number of infections continues to grow.

Figure 2-1 the evolution of Phobos ransomware family variants

3. Sample analysis of new varieties of Phobos ransomware 3.1 Phobos ransomware sample labels

Table 3 1 sample information of new variants of Phobos blackmail software

Virus name Trojan/Win32.Wacatac original file name AntiRecuvaAndDB.exeMD54CBCF650C75C6CD0CC16ED24C3B24DE6 file size 50.5 KB (51712 bytes) timestamp 2019-06-19 08:00:06 Digital signature no shell type no compilation language Microsoft Visual C++VT first upload time 2019-10-07 14:43:13VT test results 57Universe 703.2 encrypted file format

The ransomware variant uses the "RSA+AES" encryption algorithm to encrypt the file, and the encrypted file name is:

+

The encrypted file is shown in the following figure.

Figure 3-1 encrypted file

3.3 Phobos ransomware blackmail letter

The ransomware variants encrypt and generate two types of blackmail letters, one with the suffix .txt format and the other with the .hta format. The content of this new variant of extortion letter is different from that of previous Phobos blackmail software. Other variants of the Phobos ransomware family will tell the victim how to buy bitcoin to pay the ransom, but this variant of the blackmail letter does not reflect it, but only indicates that the victim's file has been encrypted and tells the contact email address and other information.

Figure 3-2 comparison of blackmail letters in txt format

Figure 3-3 comparison of blackmail letters in hta format

3.4 behavior Analysis of New variants of Phobos ransomware

Turn off the system firewall

The blackmail software uses the netsh command to turn off the firewall.

Figure 3-4 turn off and disable the firewall

Disable and turn off the firewall with the following commands (the two commands have the same function, but apply to different operating systems):

Netsh advfirewall set currentprofile state offnetsh firewall set opmode mode=disable

Add registry to realize boot self-startup

Copy yourself to the system Startup folder to achieve the self-startup function, the path is as follows:

C:\ ProgramData\ Microsoft\ Windows\ Start Menu\ Programs\ Startup

C:\ Users\ System\ AppData\ Roaming\ Microsoft\ Windows\ Start Menu\ Programs\ Startup

Figure 3-5 copy yourself to the% Startup% startup folder

Figure 3-6 copy itself to the% AppData% startup folder

Add a registry startup key to boot:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run

HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run

Append the family variant version information to the encrypted file

After the ransomware variant encrypts the contents of the file, two parts of data are appended to the end of the file. One part is the encrypted data corresponding to the file extension, and the other is the variant identification of the ransomware family, which uses different data to distinguish different versions of Phobos ransomware variants. Both parts of the data are separated from the encrypted content by "0" byte padding.

Figure 3-7 append data at the end of the file

IV. Protection suggestions and IEP protection video demonstration link

Remind users to back up important files in a timely manner, and that file backups should be isolated from the host; install update patches in time to prevent all extortion software from exploiting vulnerabilities to infect computers; be vigilant against emails from untrusted sources, avoid opening attachments or clicking on links in emails; try to avoid opening links from unknown sources shared by social media, bookmarking trusted websites and accessing them through bookmarks Avoid using weak passwords or unified passwords; ensure that all computers use secure methods such as VPN connection when using remote desktop services. If there is no need to use remote desktop services in business, it is recommended to turn it off; you can use anti-virus software (such as Zhi A) to scan email attachments to confirm security before running.

At present, IEP can detect and kill the variants of Phobos blackmail software family and protect them effectively.

Figure 4-1 Protection interface

The answer to the question about the variant analysis report of Phobos ransomware is shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.