VERY IMPORTANT

The Phobos ransomware family is fairly recent, only having been first spotted by security researchers in early 2019. But since then, it has continued to push out new variants that not only evolve attack methods, but also frequently change the extension name of encrypted files in past variants. And in its short history, its victims have often complained that they were cheated by the attacker of Phobos by not restoring files. Two weeks ago, FortiGuard Labs captured a new threat sample from the wild. It was a Microsoft Word document with a malicious Macro designed to spread the EKING variant of Phobos. I ran a deep analysis on this sample, and in this analysis post I will show how this variant infects victim’s system and how it scans and encrypts files using an AES algorithm on a victim’s device as well as shared network folders.