A new Phobos ransomware variant frames the popular VX-Underground malware-sharing collective, indicating the group is behind attacks using the encryptor. Phobos launched in 2018 in what is believed to be a ransomware-as-a-service derived from the Crysis ransomware family. As part of this operation, a group of threat actors manage the development of the ransomware and hold the master decryption key, while other threat actors act as affiliates to breach networks and encrypt devices. While Phobos has been around for a long time, it never evolved into an "Elite" operation known for conducting massive attacks and demanding millions of dollars. That does not mean it is not a big operation, as it sees wide distribution through many affiliated threat actors and accounts for 4% of all submissions to the ID Ransomware service in 2023. Framing VX. Today, ransomware hunter PCrisk found a new variant of the Phobos ransomware that attempts to frame the VX-Underground community. The first is a text ransom note named 'Buy Black Mass Volume II.txt,' which pokes some fun at VX by saying that the decryption password is not "Infected," the password used on all VX malware archives. The second is an HTA file named 'Buy Black Mass Volume II.hta,' your standard Phobos ransom note customized to utilize the VX-Underground logo, name, and contact info. This monitoring has led to similar taunts being added to malware and ransomware in the past. While that was a good-natured taunting of those involved in ransomware monitoring and research, other examples took a darker turn. In 2016, the developer of the Apocalypse ransomware began embedding abusive comments about ransomware expert Fabian Wosar in its 'Fabiansomware' encryptors out of frustration that Wosar kept finding weaknesses in the encryption. In 2020, a developer for the Maze ransomware created a data wiper/MBR Locker named after the late security researcher Vitali Kremez and Sentinel One. The Maze developer told BleepingComputer when they released the decryption keys that they distributed the wiper to annoy Kremez, who has been posting negative tweets about the ransomware operation. "More recently, ransomware known as 'Azov Ransomware" was heavily distributed through pirated software, key generators, and adware bundles worldwide. This ransomware claimed to have been created by myself, BleepingComputer, Hasherazade, MalwareHunterTeam, Michael Gillespie, and Vitali Kremez, telling victims to contact us for a decryption key. HelloKitty ransomware source code leaked on hacking forum. Cactus ransomware exploiting Qlik Sense flaws to breach networks. Black Basta ransomware made over $100 million from extortion. Toronto Public Library confirms data stolen in ransomware attack. Qilin ransomware claims attack on automotive giant Yanfeng.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000