This talk was presented at AVAR 2020.
Phobos ransomware family was first spotted by security researchers in early 2019. Recently FortiGuard Labs captured one sample from the wild, which is a MS Word document containing malicious Macro to spread a new variant of Phobos.
I did a research on this MS Word sample thoroughly. In this talk, I represented:
1. How the malicious Macro in the MS Word document executes to infect the victimâ€™s system;
2. How the real ransomware payload starts on the victimâ€™s system;
3. What techniques it uses to keep it persistent on the victimâ€™s system;
4. How it enumerates and filters the files and encrypts them on the victimâ€™s system;
5. What encryption algorithm this variant uses and how the encryption key is generated;
6. At last, what the victim has to do to restore the encrypted files.