VX-Underground malware collective framed by Phobos ransomware

Trending 2 weeks ago


A new Phobos ransomware alternative frames the accepted VX-Underground malware-sharing collective, advertence the accumulation is abaft attacks application the encryptor.

Phobos launched in 2018 in what is believed to be a ransomware-as-a-service derived from the Crysis ransomware family. As allotment of this operation, a accumulation of blackmail actors administer the development of the ransomware and authority the adept decryption key, while added blackmail actors act as affiliates to aperture networks and encrypt devices.

While Phobos has been about for a continued time, it never acquired into an "elite" operation accepted for administering massive attacks and ambitious millions of dollars.

However, that does not beggarly it is not a big operation, as it sees advanced administration through abounding affiliated blackmail actors and accounts for 4% of all submissions to the ID Ransomware account in 2023.

Phobos submissions to ID Ransomware over the accomplished monthPhobos submissions to ID Ransomware over the accomplished month
Source: ID Ransomware

Framing VX

Today, ransomware hunter PCrisk found a new alternative of the Phobos ransomware that attempts to frame the VX-Underground community.

When encrypting files, the malware will adjoin the .id[[unique_id].[staff@vx-underground.org].VXUG string, with the email actuality accepted and the final addendum 'VXUG,' continuing for VX-Underground.

Files encrypted by the "VX-Underground" alternative of PhobosFiles encrypted by the "VX-Underground" alternative of Phobos
Source: BleepingComputer

When finished, Phobos will actualize two bribe addendum on the Windows Desktop and elsewhere. 

The aboriginal is a argument bribe agenda called 'Buy Black Mass Volume II.txt,' which pokes some fun at VX by adage that the decryption countersign is not "infected," the countersign acclimated on all VX malware archives.

"!!! All of your files are encrypted !!!
To break them accelerate e-mail to this address: staff@vx-underground.org.
If we don't acknowledgment in 48h., accelerate bulletin to this twitter: @vxunderground
and no the decryption countersign is not "infected""

Text bribe noteText bribe note
Source: BleepingComputer

The additional is an HTA book called 'Buy Black Mass Volume II.hta,' your accepted Phobos bribe agenda customized to advance the VX-Underground logo, name, and acquaintance info. Black Mass are books accounting by the VX-Underground and awash on Amazon.

HTA bribe agenda claiming to be from VX-UndergroundHTA bribe agenda claiming to be from VX-Underground
Source: BleepingComputer

Watching the watchers

Like aegis researchers, blackmail actors are complex in the online infosec and cybersecurity communities, actively accommodating in discussions or agilely watching from the sidelines. This monitoring, though, has led to agnate taunts actuality added to malware and ransomware in the past.

For example, back REvil's precursor, GandCrab, was released, the blackmail actors called their command and ascendancy servers afterwards BleepingComputer, Emsisoft, ESET, and NoMoreRansom.

While that was a acquiescent cheeky of those complex in ransomware ecology and research, added examples took a darker turn.

In 2016, the developer of the Apocalypse ransomware began embedding calumniating comments about ransomware able Fabian Wosar in its 'Fabiansomware' encryptors out of annoyance that Wosar kept award weaknesses in the encryption.

In 2020, a developer for the Maze ransomware created a abstracts wiper/MBR Locker called afterwards the backward aegis researcher Vitali Kremez and Sentinel One.

The Maze developer told BleepingComputer back they released the decryption keys that they broadcast the wiper to abrade Kremez, who has been announcement abrogating tweets about the ransomware operation.

More recently, ransomware accepted as 'Azov Ransomware" was heavily broadcast through pirated software, key generators, and adware bundles worldwide.

This ransomware claimed to accept been created by myself, BleepingComputer, Hasherazade, MalwareHunterTeam, Michael Gillespie, and Vitali Kremez, cogent victims to acquaintance us for a decryption key.

For those who collaborate with malware developers, you consistently run the accident of actuality included in one of their projects.

While the cheeky is mostly good-natured, in some cases, like we saw with Azov and the Kremez Wiper, it can get a bit nasty.