Ransomware, Malware

New Phobos ransomware variant impersonates VX-Underground malware-sharing group

Ransomware attack

VX-Underground, a group that maintains an open-source library of malware code and research, says it is being framed by a new ransomware variant bearing its name.

The group shared a screenshot Monday on X, formerly known as Twitter, showing a ransomware popup directing victims to contact VX-Underground’s email or account on X to decrypt their files. PCrisk researchers, who first discovered the “Vx-underground” ransomware, identified it as a variant of the Phobos ransomware family.

“1. We are not Threat Actors,” VX-Underground tweeted in response to the impersonation. “2. It is insulting that you’d think we’d stoop so low as to use Phobos. Really? Phobos? Why would anyone use that hunk-of-junk?”

PCrisk’s initial report on the ransomware also states there is no connection between the Phobos variant and the VX-Underground group. The ransomware also uses the VX-Underground logo, the file extension “.VXUG” and a reference to “infected” — the password for the group’s malware repository — in its attempt to strengthen its association to the group.

VX-Underground responds to impersonation attempt

VX-Underground told SC Media it doesn’t plan to take any action in response to the attempted framing other than to spread awareness.

“We won’t do anything,” the group said via its X account. “We don’t personally believe anything serious will come from it because they would be losing money if they invested significant time, energy and money to do a large scale ransomware campaign. They wouldn’t be paid, it would just make us look like jerks.”

The PCrisk report confirms that the ransomware does not include any means to pay the variant’s actual creator, only including contact information for the legitimate VX-Underground group.

PCrisk founder Tomas Meskauskas, who authored the report, suggested the version his researchers discovered may have been released for testing purposes ahead of a future campaign.

VX-Underground said it does not know who the author of the variant bearing its name is, and did not confirm to SC Media whether it has received any correspondence from potential victims.

“Phobos is an old ransomware variant, it isn’t a large RaaS like Lockbit or ALPHV, Phobos is more designed to target home users,” the group explained. “The builder has been leaked dozens of times.”  

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds