Phobos Ransomware actively spreading in the wild

April 19, 2019

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of Phobos ransomware [Phobos.RSM] actively spreading in the wild.

The Phobos ransomware encrypts the victim's files with a strong encryption algorithm until the victim pays a fee to get them back.

Contents of the Phobos ransomware

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ info.hta
    • %Userprofile\Desktop %\ info.txt
      • Instruction for recovery
    • %App.path%\ [File Name]. Phobos

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [.Phobos]  extension onto each encrypted file's filename.

After encrypting all personal documents, the ransomware shows the following htm file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.


SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Phobos.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.