![]() ![]() Opening the Captured Sample in MS Office WordĪfter opening the Word document, it displays a warning that directs the victim to click an “Enable Content” button on the yellow bar to enable Macros, as shown in Figure 1.1. Later, in December 2020, I also presented my findings from this Phobos variant (with title " Pay or Lose Your Critical Data - Deep Analysis of A Variant of Phobos Ransomware") on AVAR 2020 Virtual. I ran a deep analysis on this sample, and in this analysis post I will show how this variant infects victim’s system and how it scans and encrypts files using an AES algorithm on a victim’s device as well as shared network folders. It was a Microsoft Word document with a malicious Macro designed to spread the EKING variant of Phobos. Two weeks ago, FortiGuard Labs captured a new threat sample from the wild. ![]() And in its short history, its victims have often complained that they were cheated by the attacker of Phobos by not restoring files. But since then, it has continued to push out new variants that not only evolve attack methods, but also frequently change the extension name of encrypted files in past variants. The Phobos ransomware family is fairly recent, only having been first spotted by security researchers in early 2019. Impact: Encrypts Victims’ Files for Ransom ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |