Ransomware Research
Phobos Ransomware
Phobos is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on January 1, 2019, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Phobos 2.0, Phobos NextGen, Phobos NotDharma.
Quick Facts
- Ransomware Family
- Phobos
- First Seen
- January 1, 2019
- Known Aliases
- Phobos 2.0Phobos NextGenPhobos NotDharma
How Phobos Ransomware Works
Targeted Files
https://www.bleepingcomputer.com/forums/t/688649/phobos-ransomware-id-idemailphobos-adame-help-support/ Tenmplate for encrypted filenames ->.id[XXXXXXXX-2423].[jewkeswilmer@aol.com].deal;.id[XXXXXXXX-2700].[squadhack@email.tg].Devos Regex to search extension -> \.id\[\w{8}-\w{4}\]\.\[.+\]\.(\w+) d3f410b2f9048af2f235a17e8a0d59c00cb8cdc9fa8b7ab9b90c6fcabc874826 - VB6 loader
File Encryption Patterns
Phobos modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..phobos
..Frendi
..phoenix
..actor
..mamba
..actin
..KARLOS
..help
..com
..Acton
..adage
..blend
..WALLET
..acute
..1500dollars
..Acuna
..Adame
..banjo
..BORISHORSE
..Banta
..BANKS
..Adair
..zax
..HORSELIKER
..barak
..Barak
..Caley
..Caleb
..deal
..Cales
..calix
..elder
..octopus
..age
..deuce
..angus
..Calum
..Dever
..Devon
..devil
..Devos
..bablo
..dewar
..eight
..revon
..eject
..iso
..eking
..isos
..Acuff
..ELDAOSLA
..Antivirus
..DLL
..WIN
..PERDAK
..XIII
..Drik
..Elbie
..LOWPRICE
..MONETA
..BOOM
..Lookfornewitguy
..PAYMENT
..[MerlinWebster@aol.com].com
..[DonovanTudor@aol.com].com
..XHAMSTER
..DIKE
Ransom Note and Payment Demands
After encrypting files, Phobos displays ransom notes demanding payment for file recovery:
Data.hta
Ransom message:
notes/Data.hta
Encrypted.txt
Ransom message:
notes/Encrypted.txt
encrypted.txt
Ransom message:
notes/encrypted.txt
info.txt
Ransom message:
notes/info.txt
Note locations:
Desktop
RootDiscs
info.hta
Ransom message:
notes/info.hta
Note locations:
Desktop
RootDiscs
Technical Indicators
Associated Executable Files
The following executable files are associated with Phobos ransomware:
V.zip
phobos
file.exe
myfile.exe
dexec.exe
exec.exe
program.exe
Absonkaine.exe
ph_exec.exe
costelloh.exe
2ph_decrypt.exe
software.exe
2ph.exe
2ph_exec.exe
ph_exec.bin
shaofao.exe
greencrypt_crypt.exe
123.exe
0t_2806_ph_exec_1cr13.exe
1.exe
1ph_exec.exe
executable.exe
Pp3
lsaa.exe
AppResolver
rfds354hfg45.exe
1H41ZDD3.exe
phobos.exe
phobos.bin
Phobos.exe
Trojan.Ransom.Phobos.exe
Microsoft_Office_ExcelUpdate_KB3216755p.msi++
e.exe
yIV8ARvwUUZ6.exe
1saas.bin
1saas.exe
1saas.exe12
antirecuvaanddb.exe
svhost.bin
svhost.exe
AntiRecuvaAndDB_.exe
zax.exe
rsfd234df.pe32
rsfd234df.exe
testing.exe
AntiRecuvaAndDB.exe
svchost.exe
huntress_eRV6KXMW.dll
8KZM4TOR.exe
rdgf324dgf23.exe
QHLJG22Z.exe
E0VKEF63.exe
41ZT0QX3.exe
dedolence.exe
somnambular.exe
UTAKGI.exe
rvckjhg.exe
XTO4MHH6.exe
rbvcvbne.exe
NCXWTUXX.exe
AntiRecuvaAndDB.ex_
5.10.2019Taskmgr.exe
GASAS
GASAS.exe
gasas.pe32
semimonthly.exe
portholes.exe
rsdf54refsd.exe
3A6K0YNM.exe
Fast.exe
a1.exe
1sass.exe1
1SASS.EXE.exe
1sass.exe
AntiRecuvaAndDB.bin
22.12.19Taskmngr.exe
test.exe
3.2.20TASKMNGR.EXE.exe
out
3.2.20taskmngr.exe1
3.2.20taskmngr.exe
ACMD.exe
system.exe
2.exe.v
Fast.exeXX.exe
Fast.exeXX
exec.exe.bak.exe
exec.exe.bak
fast.exe
cusersnextadminappdatalocalfast.exe
2.exe
3.exe
unS.exe
626444.dat
winrar.exe
375476.dat
262375.dat
416121.dat
46522.dat
378314.dat
27098.dat
497051.dat
834619.dat
1001478.dat
654949.dat
667376.dat
344560.dat
db_exec.exe
db_exec.exe.old
ItFoV.exe
AntiRecuvaAndDB.ex_.exe
svchostBADSTARTUP.exe
KryP.exe
dsern.exe
08.12.2019Taskmgr.exe
ucesal.exe
csrss.exe
10.07.2019taskmgr.exe
1500dollarsAntirecucaFullDB.exe
Elastio Can Help You
Don't let Phobos ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Phobos ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Phobos.
Last updated: July 30, 2025