EKING Variant of Phobos Ransomware Detection

Today we would like to draw your attention to another Ransomware as a Service, which has been used for a long time in attacks against organizations and cybercriminals use different variants that have already received their own names. We are talking about the Phobos ransomware family, which is based on Dharma ransomware and was created less than two years ago. The EKING variant of Phobos ransomware appeared quite recently and was used in attacks targeted at government organizations.

Phobos typically spreads by compromising RDP, infiltrating an organization’s network, and infecting as many systems as possible to obtain a large ransom. However, many victims who paid cybercriminals for the decryptor never received it. Perhaps this is one of the reasons why the EKING variant of Phobos arose. There are several confirmed cases that adversaries spread it, including through phishing emails. A fresh analysis of this threat from FortiGuard Labs reveals how a malicious binary enters the system after a victim opens an MS Word document attached to a phishing email. The ransomware not only encrypts files on the infected machine, but it also targets new attached logical drives and network sharing resources. To speed up the encryption process, EKING creates two scan threads for each logical drive: one of them finds and encrypts files related to databases.

Emir Erdogan released a new community Sigma rule based on recent analysis to secure organizations against EKING ransomware attacks: https://tdm.socprime.com/tdm/info/zkCL41UwSIir/ilO4JnUBR-lx4sDx6-Q2/

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint


Tactics: Impact, Execution

Techniques: Data Encrypted for Impact (T1486), User Execution (1204)


Ready to try out SOC Prime Threat Detection Marketplace? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the Threat Detection Marketplace community.