An attempt to brute force the Phobos family ransomware

  • 24 February 2023
  • 4 replies
  • 27 views

  • Anonymous
  • 0 replies

Researchers from the Polish CERT team published this fascinating blog on their attempts to narrow the search space and brute force Phobos ransomware using GPUs for parallel processing:

https://cert.pl/en/posts/2023/02/breaking-phobos/

Discussion from Hacker News: https://news.ycombinator.com/item?id=34923842

My favorite part is their estimate of how a network the size of Bitcoin could make short work of the search space:

2**67 sha256 invocations is still a lot, but it's getting manageable. For example, this is coincidentally almost exactly the current BTC hash rate. This means, if the whole BTC network was repurposed to decrypting Phobos victims instead of pointlessly burning electricity, it would decrypt one victim per second


4 replies

Attempting to brute force the Phobos family ransomware would be a violation of the law and would likely be unsuccessful. Ransomware attacks are typically designed with strong encryption algorithms that are virtually impossible to crack through brute force.

The best course of action if you are a victim of ransomware is to seek the assistance of a reputable cybersecurity expert or company who can help you to recover your data and restore your system. It is also important to take steps to prevent future attacks, such as regularly backing up your data, updating your software and security systems, and being cautious when opening email attachments or clicking on suspicious links.

That’s a good point, that you always have to keep in mind your local laws around computer security.  There’s been many people who’ve gotten in trouble when doing white hat hacking.  At least in the US they try not to go after people with good intentions who accidentally do something wrong:

https://www.zdnet.com/article/us-justice-department-says-it-wont-prosecute-white-hat-hackers-under-the-cfaa/

Agreed on all your points about the best course of action, and to have good backups and ransomware insurance.  The blog post on Phobos was just an interesting attempt to see whether brute force would be a feasible approach.  There’s probably a good number of ransomware folks who don’t implement their encryption properly so there might be back doors allowing you to find a way to unencrypt your data without paying your ransom.  Here’s a list of some of the ones that have been broken or circumvented:

https://www.avast.com/en-us/ransomware-decryption-tools#mac

Userlevel 6
Badge +2

Although the encryption key is often created randomly and is made to be resistant to brute force attacks, trying to brute force the encryption key utilised by Phobos ransomware is a challenging and time-consuming task. However, the majority of ransomware families, including Phobos, employ robust encryption techniques like AES or RSA, which are thought to be quite secure when used properly.
Unfortunately, trying to brute force an encryption key is a time- and resource-intensive effort that is typically not a feasible option for most people or organizations.

https://heimdalsecurity.com/blog/phobos-ransomware/

.

Userlevel 4
Badge +3

It is essential to focus on implementing appropriate security measures to protect against ransomware and other cyber threats, such as regularly backing up data, using strong passwords and multi-factor authentication, and keeping software and systems up-to-date with security patches. If you suspect that your computer or network has been infected with ransomware or other malware, you should immediately contact a qualified cybersecurity professional or law enforcement agency for assistance.

Reply