[Virus/malware activity reported: Phobos ransomware]

Due to a breach believed to be in the form of Phobos ransomware,
we would like to confirm the situation and provide a warning as follows.

How it works

file version

Since this ransomware first appeared in 2017, several variants have been released. During this analysis, it appears that all files are being changed with the extension .eking.

[Figure 0] Actual extension changed after Phobos ransomware infection

This is the file information.

• ransom text nameinfo.txt
• ransom note programmshta.exe / info.hta
• Encrypted file information<Encryption file name.extension.id[random value-].[chinadecrypt@msgsafe.io].random value>

[Figure 1] File information

behavioral process

Check external communication

Use a random site to check if communication with the outside world is possible.

[Figure 2] Confirmation of external communication during action process

Startup program registry registration

Registers itself in the registry of startup programs so that it restarts at boot time.

[Figure 3] Startup program registry registration

Enable network sharing and disable firewall

Disable the firewall to prevent additional infections from happening on your PC.

[Figure 4] Command to delete shadow copies to make recovery difficult

Infection results

A guide file is created under the name Read_Me!_.txt in each folder, and when encryption is performed, the files are changed to <encrypted file name.extension[ID=random value-Mail=FreedomTeam@mail.ee].random value> .

[Figure 5] .txt file ransom note screen

[Figure 6] Ransom note image

[Figure 7] Extension changed after infection

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

Watch the phobos blocking video