VX-Underground malware collective framed by Phobos ransomware

Trending 2 weeks ago
  1. Home
  2. Technology
  3. VX-Underground malware collective framed by Phobos ransomware

VX-Underground

A new Phobos ransomware alternative frames the accepted VX-Underground malware-sharing collective, advertence the accumulation is abaft attacks application the encryptor.

Phobos launched in 2018 in what is believed to be a ransomware-as-a-service derived from the Crysis ransomware family. As allotment of this operation, a accumulation of blackmail actors administer the development of the ransomware and authority the adept decryption key, while added blackmail actors act as affiliates to aperture networks and encrypt devices.

While Phobos has been about for a continued time, it never acquired into an "elite" operation accepted for administering massive attacks and ambitious millions of dollars.

However, that does not beggarly it is not a big operation, as it sees advanced administration through abounding affiliated blackmail actors and accounts for 4% of all submissions to the ID Ransomware account in 2023.

Phobos submissions to ID Ransomware over the accomplished monthPhobos submissions to ID Ransomware over the accomplished month
Source: ID Ransomware

Framing VX

Today, ransomware hunter PCrisk found a new alternative of the Phobos ransomware that attempts to frame the VX-Underground community.

When encrypting files, the malware will adjoin the .id[[unique_id].[staff@vx-underground.org].VXUG string, with the email actuality accepted and the final addendum 'VXUG,' continuing for VX-Underground.

Files encrypted by the "VX-Underground" alternative of PhobosFiles encrypted by the "VX-Underground" alternative of Phobos
Source: BleepingComputer

When finished, Phobos will actualize two bribe addendum on the Windows Desktop and elsewhere. 

The aboriginal is a argument bribe agenda called 'Buy Black Mass Volume II.txt,' which pokes some fun at VX by adage that the decryption countersign is not "infected," the countersign acclimated on all VX malware archives.

"!!! All of your files are encrypted !!!
To break them accelerate e-mail to this address: staff@vx-underground.org.
If we don't acknowledgment in 48h., accelerate bulletin to this twitter: @vxunderground
and no the decryption countersign is not "infected""

Text bribe noteText bribe note
Source: BleepingComputer

The additional is an HTA book called 'Buy Black Mass Volume II.hta,' your accepted Phobos bribe agenda customized to advance the VX-Underground logo, name, and acquaintance info. Black Mass are books accounting by the VX-Underground and awash on Amazon.

HTA bribe agenda claiming to be from VX-UndergroundHTA bribe agenda claiming to be from VX-Underground
Source: BleepingComputer

Watching the watchers

Like aegis researchers, blackmail actors are complex in the online infosec and cybersecurity communities, actively accommodating in discussions or agilely watching from the sidelines. This monitoring, though, has led to agnate taunts actuality added to malware and ransomware in the past.

For example, back REvil's precursor, GandCrab, was released, the blackmail actors called their command and ascendancy servers afterwards BleepingComputer, Emsisoft, ESET, and NoMoreRansom.

While that was a acquiescent cheeky of those complex in ransomware ecology and research, added examples took a darker turn.

In 2016, the developer of the Apocalypse ransomware began embedding calumniating comments about ransomware able Fabian Wosar in its 'Fabiansomware' encryptors out of annoyance that Wosar kept award weaknesses in the encryption.

In 2020, a developer for the Maze ransomware created a abstracts wiper/MBR Locker called afterwards the backward aegis researcher Vitali Kremez and Sentinel One.

The Maze developer told BleepingComputer back they released the decryption keys that they broadcast the wiper to abrade Kremez, who has been announcement abrogating tweets about the ransomware operation.

More recently, ransomware accepted as 'Azov Ransomware" was heavily broadcast through pirated software, key generators, and adware bundles worldwide.

This ransomware claimed to accept been created by myself, BleepingComputer, Hasherazade, MalwareHunterTeam, Michael Gillespie, and Vitali Kremez, cogent victims to acquaintance us for a decryption key.

For those who collaborate with malware developers, you consistently run the accident of actuality included in one of their projects.

While the cheeky is mostly good-natured, in some cases, like we saw with Azov and the Kremez Wiper, it can get a bit nasty.

Related Article

Russian military hackers target NATO fast reaction corps

Russian military hackers target NATO fast reaction corps

7 hours ago
23andMe updates user agreement to prevent data breach lawsuits

23andMe updates user agreement to prevent data breach lawsuits

9 hours ago
Windows 11 Notepad gets a built-in character counter, finally

Windows 11 Notepad gets a built-in character counter, finally

9 hours ago
WordPress fixes POP chain exposing websites to RCE attacks

WordPress fixes POP chain exposing websites to RCE attacks

9 hours ago
Russian pleads guilty to running crypto-exchange used by ransomware gangs

Russian pleads guilty to running crypto-exchange used by ransomware gangs

12 hours ago
UK and allies expose Russian FSB hacking group, sanction members

UK and allies expose Russian FSB hacking group, sanction members

13 hours ago

Trending

1. Brenda Lee
2. Pelicans
3. Alan Wake 2
4. Zappe
5. Hallmark
6. Copa America 2024
7. Steelers
8. Najee Harris
9. Bucks
10. Benny Blanco

Popular Article

Dell XPS 15 is still at its Black Friday and Cyber Monday price

Dell XPS 15 is still at its Black Friday and Cyber Monday price

19 hours ago
Belgian man charged with smuggling sanctioned military tech to Russia and China

Belgian man charged with smuggling sanctioned military tech to Russia and China

22 hours ago
Microsoft's code name for 64-bit Windows was also a dig at rival Sun

Microsoft's code name for 64-bit Windows was also a dig at rival Sun

20 hours ago
Accelerating software delivery while keeping a close check

Accelerating software delivery while keeping a close check

20 hours ago
GitLab admits IT ineptitude in finance reporting is ongoing

GitLab admits IT ineptitude in finance reporting is ongoing

18 hours ago
3 best DC movies to watch on Netflix in December

3 best DC movies to watch on Netflix in December

15 hours ago
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
About Us · Contact Us · Terms & Conditions · Disclaimer ·

©2023 PAK MEDIA BLOG.
All Rights Reserved.