Ransomware Research
Phobos Ransomware
Phobos is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on January 1, 2019, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Phobos 2.0, Phobos NextGen, Phobos NotDharma.
Quick Facts
- Ransomware Family
- Phobos
- First Seen
- January 1, 2019
- Known Aliases
- Phobos 2.0Phobos NextGenPhobos NotDharma
How Phobos Ransomware Works
Targeted Files
https://www.bleepingcomputer.com/forums/t/688649/phobos-ransomware-id-idemailphobos-adame-help-support/ Tenmplate for encrypted filenames ->.id[XXXXXXXX-2423].[jewkeswilmer@aol.com].deal;.id[XXXXXXXX-2700].[squadhack@email.tg].Devos Regex to search extension -> \.id\[\w{8}-\w{4}\]\.\[.+\]\.(\w+) d3f410b2f9048af2f235a17e8a0d59c00cb8cdc9fa8b7ab9b90c6fcabc874826 - VB6 loader
File Encryption Patterns
Phobos modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..phobos..Frendi..phoenix..actor..mamba..actin..KARLOS..help..com..Acton..adage..blend..WALLET..acute..1500dollars..Acuna..Adame..banjo..BORISHORSE..Banta..BANKS..Adair..zax..HORSELIKER..barak..Barak..Caley..Caleb..deal..Cales..calix..elder..octopus..age..deuce..angus..Calum..Dever..Devon..devil..Devos..bablo..dewar..eight..revon..eject..iso..eking..isos..Acuff..ELDAOSLA..Antivirus..DLL..WIN..PERDAK..XIII..Drik..Elbie..LOWPRICE..MONETA..BOOM..Lookfornewitguy..PAYMENT..[MerlinWebster@aol.com].com..[DonovanTudor@aol.com].com..XHAMSTER..DIKERansom Note and Payment Demands
After encrypting files, Phobos displays ransom notes demanding payment for file recovery:
Data.htaRansom message:
notes/Data.hta
Encrypted.txtRansom message:
notes/Encrypted.txt
encrypted.txtRansom message:
notes/encrypted.txt
info.txtRansom message:
notes/info.txt
Note locations:
DesktopRootDiscsinfo.htaRansom message:
notes/info.hta
Note locations:
DesktopRootDiscsTechnical Indicators
Associated Executable Files
The following executable files are associated with Phobos ransomware:
V.zipphobosfile.exemyfile.exedexec.exeexec.exeprogram.exeAbsonkaine.exeph_exec.execostelloh.exe2ph_decrypt.exesoftware.exe2ph.exe2ph_exec.exeph_exec.binshaofao.exegreencrypt_crypt.exe123.exe0t_2806_ph_exec_1cr13.exe1.exe1ph_exec.exeexecutable.exePp3lsaa.exeAppResolverrfds354hfg45.exe1H41ZDD3.exephobos.exephobos.binPhobos.exeTrojan.Ransom.Phobos.exeMicrosoft_Office_ExcelUpdate_KB3216755p.msi++e.exeyIV8ARvwUUZ6.exe1saas.bin1saas.exe1saas.exe12antirecuvaanddb.exesvhost.binsvhost.exeAntiRecuvaAndDB_.exezax.exersfd234df.pe32rsfd234df.exetesting.exeAntiRecuvaAndDB.exesvchost.exehuntress_eRV6KXMW.dll8KZM4TOR.exerdgf324dgf23.exeQHLJG22Z.exeE0VKEF63.exe41ZT0QX3.exededolence.exesomnambular.exeUTAKGI.exervckjhg.exeXTO4MHH6.exerbvcvbne.exeNCXWTUXX.exeAntiRecuvaAndDB.ex_5.10.2019Taskmgr.exeGASASGASAS.exegasas.pe32semimonthly.exeportholes.exersdf54refsd.exe3A6K0YNM.exeFast.exea1.exe1sass.exe11SASS.EXE.exe1sass.exeAntiRecuvaAndDB.bin22.12.19Taskmngr.exetest.exe3.2.20TASKMNGR.EXE.exeout3.2.20taskmngr.exe13.2.20taskmngr.exeACMD.exesystem.exe2.exe.vFast.exeXX.exeFast.exeXXexec.exe.bak.exeexec.exe.bakfast.execusersnextadminappdatalocalfast.exe2.exe3.exeunS.exe626444.datwinrar.exe375476.dat262375.dat416121.dat46522.dat378314.dat27098.dat497051.dat834619.dat1001478.dat654949.dat667376.dat344560.datdb_exec.exedb_exec.exe.oldItFoV.exeAntiRecuvaAndDB.ex_.exesvchostBADSTARTUP.exeKryP.exedsern.exe08.12.2019Taskmgr.exeucesal.execsrss.exe10.07.2019taskmgr.exe1500dollarsAntirecucaFullDB.exe
Elastio Can Help You
Don't let Phobos ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Phobos ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Phobos.
Last updated: July 30, 2025