Operator of new Phobos variant gives blunt response during negotiation


The SonicWall Capture Labs threat research team have observed a new variant from the Phobos ransomware family.  Like Sodinokibi, Phobos is sold on the criminal underground using the ransomware-as-a-service (RaaS) model.  It is spread using various infection methods such as vulnerable Remote Desktop connections and spam email attachments. In the past we have seen Phobos primarily targeting businesses.  However, recently we have also seen several reports of individuals being hit with this malware.  During our analysis of this malware we negotiate ransom payment with the operator.


Infection cycle:


Upon infection, the following files are dropped onto the system:

  • %APPDATA%\roaming\microsoft\windows\start menu\programs\startup\db_exec.exe [Detected as: GAV: Phobos.RSM_12 (Trojan)]
  • {malware run location}\TempWmicBatchFile.bat
  • {desktop}\info.hta
  • {desktop}\info.txt


Files on the system are encrypted and given the following extension:

  • id[94458690-2589].[helpisos@aol.com].isos


TempWmicBatchFile.bat contains the following script which, when executed, disables system recovery features:

bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet


info.hta contains the ransom message and is displayed multiple times on the desktop:


info.txt also contains the ransom message:




We attempted to reach out to helpisos@aol.com as instructed in the ransom note but were notified by the email server that the address “couldn’t be found, or is unable to receive mail“.  We proceeded to contact @iso_recovery on Telegram and had the following conversation with the operator:


Nowadays, ransom fees for individuals are negotiable.  We tried our luck to see how much of a discount is available:


We attempted to push further and enlighten the operator about our “dire financial situation” but received the following blunt response:




SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Phobos.RSM_12 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.