Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Software

New Phobos Ransomware Exploits Weak Security To Hit Targets Around the World (zdnet.com) 30

An anonymous reader quotes a report from ZDNet: A prolific cybercrime gang behind a series of ransomware attacks is distributing a new form of the file-encrypting malware which combines two well known and successful variants in a series of attacks against businesses around the world. Dubbed Phobos by its creators, the ransomware first emerged in December and researchers at CoveWare have detailed how it shares a number of similarities with Dharma ransomware.

Like Dharma, Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demands a ransom to be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension. The demand is made in a ransom note -- and aside from 'Phobos' logos being added to the ransom note, it's exactly the same as the note used by Dharma, with the same typeface and text use throughout. Phobos is being distributed by the gang behind Dharma and likely serves as an insurance policy for malicious campaigns, providing attackers with a second option for conducting attacks, should Dharma end up decrypted or prevented from successfully extorting ransoms from victims.

This discussion has been archived. No new comments can be posted.

New Phobos Ransomware Exploits Weak Security To Hit Targets Around the World

Comments Filter:
  • by account_deleted ( 4530225 ) on Monday January 21, 2019 @08:14PM (#57999420)
    Comment removed based on user account deletion
  • by ctilsie242 ( 4841247 ) on Monday January 21, 2019 @08:40PM (#57999508)

    With all these ransomware products coming out, I've wondered why backup utilities have not evolved much. The ideal backup utility would be one that is "pull" based, where the client machine has zero access to the backup data. The closest would be something like CrashPlan or Mozy that doesn't allow access to the client, and the next closest would be something like Borg Backup backing up to a server in append only mode.

    Unlike most IT disasters where backing up to a file share or a S3 bucket is good enough, ransomware means that you have to ensure the client can only append data.

    • by raymorris ( 2726007 ) on Monday January 21, 2019 @08:53PM (#57999552) Journal

      Yeah ransomware will encrypt any file shares it can, so push backups are no good. Actual live bad guys also shouldn't have write access to your backups, so pull it is.

      Also, I don't want to rely on the box to back itself up because that requires assuming that all of the machines getting backed up are always working correctly. If we're going to assume the computers never have problems, we wouldn't need to back them up in the first place. I prefer the backup system runs on one dedicated system. Additionally that has other benefits, like you don't have 100 machines all trying to push their backups all at once. The backup machine can pull them a few a time, getting each one done more quickly. At least that's how I wrote Clonebox.

      Unfortunately for people concerned with Windows ransomware, Clonebox was/is another pull option for *Linux*. There are a few good options I know of, but they are all for Linux/ BSD. That'll work if your Windows is a VM running on a *nix platform. Theoretically the systems made for *nix would work for backing up files from Windows using Windows Subsystem for Linux. The backups probably wouldn't be bootable like they are for Linux, you'd have to restore the files after a fresh install of Windows. That's a reasonable approach, though. About 10 years behind what you can do with Linux, but 10 years behind is about average for Windows when it comes to system capabilities (as opposed to applications).

      • I use BackupPC running on a FreeBSD box with ZFS for all my backup needs. Each client gets rsync setup as a service and gets backed up daily. I use cygwin for Windows clients but the configuration is pretty standard from client to client.

        I have a separate FreeBSD box for off-site backups and stream ZFS snapshots from the BackupPC machine weekly. The whole setup has a few manual steps but that keeps me connected to the process and more likely to catch any problems before they get out of control.

    • by Bongo ( 13261 )

      Yes I was glad my little solution in the department was to have backup machines do rsync over ssh to pull data off the clients. And for storage put it in ZFS.

    • by Anonymous Coward

      On Unix-based OSes, this is how things have been done for decades.

      $ sudo rdiff-backup --exclude-special-files root@remote:/ /Backups/remote

      This will use an ssh connection to the remote system, connecting as root (need to allow that, but only from the backup server), and "pull" the backups to the backup server. Make "remote" into a variable, add a loop, and you are backing up 20 systems overnight. After the first time, backups generally take 3-6 minutes for each system, depending on changed data amounts

      • Technically, UNIX people have been using dump and tar for backups. rdiff-backup is an exception, and there are other utilities like Borg Backup which, when combined with a basic server setup, can ensure that the client can only append. rdiff-backup's downside is that one can erase everything in /Backups/remote.

        We are talking ransomware. In the past, dumping to a NFS volume, zfs send, or chucking data to a server via SSH was good enough. Now, we have to have a barrier in place to prevent clients from ove

    • Just revert the NAS to the most recent unenciphered snapshot?
  • ...or, once again, and I lost the count, does it hit "Windows targets"?

  • "In its alert, the FBI mentions that the number of computers with an RDP connection left accessible on the Internet has gone up since mid and late 2016." Good grief. Imagine how much worse it would be if we didn't have ransomware authors acting as our chaos monkey.
    • That's sort of boggling. If I'm thinking about this correctly, it means that there are people out there who know enough to forward a port or two, but who don't know enough to know that's a bad idea. Wow.
      • by tlhIngan ( 30335 )

        That's sort of boggling. If I'm thinking about this correctly, it means that there are people out there who know enough to forward a port or two, but who don't know enough to know that's a bad idea. Wow.

        No, it's not amazing or boggling. I can show a clueless newbie how to do something involving ssh if I wanted - all that matters is what the newbie gets out of it. If i tell them it's a way to get unlimited movies and music for free, they'd probably follow my instructions and I can get them to set up ssh-serv

Time is the most valuable thing a man can spend. -- Theophrastus

Working...