Thanks to the work of Cisco Talos it was possible to identify a new and fearsome variant of the ransomware Phobos.
This, run by the cybercriminal group known as 8Basebecame the protagonist of a massive campaign launched between May and June of the current year.
Cyber security experts have since cataloged it well 67 attacks attributable to the collective, with objectives distributed across the American continent (from the United States to Brazil). It seems that those targeted by 8Base are mainly small and medium-sized enterprises, involved in various sectors, from corporate services to finance and the IT context.
Researchers from. identified the connection between Phobos and the group VMwarewho noticed the use of the extension .8base for adopted for encrypted files.
The new variant of the Phobos ransomware uses its own encryption technique
Why is this ransomware so feared? The modified version, if possible, proves to be richer in function than the more “classic” one. In fact, researchers have identified an impressive number of features that the malware is equipped with, among which the following stand out:
- Full encryption of files smaller than 1.5 MB e partial encryption larger files to improve the speed of operations;
- Higher level of persistenceobtained throughautomatic execution of the malware and the modification of the registry keys;
- Scan network shares in the local network;
- Deactivation of system recoveryOf backup and other functions for the data recovery;
- Blocking of firewall di Windows.
Previously, Phobos variants were distributed by the group SmokeLoader. Therefore, this new change to ransomware has taken industry experts by surprise.
In a report proposed by Talos it is highlighted that experts have long examined the encryption method adopted by the malicious agent.
We are talking about the adoption of a customization of the AES-256 encryption which implements a random symmetric key for each encrypted file. Another feature that helps make this variant even more fearsome.