Cybersecurity is a constantly evolving field, and ransomware threats continue to diversify. Among the most recent and worrying are Space Bears and Lexus, two variants that share common roots with the dreaded Phobos ransomware. These newcomers not only stand out for their ability to encrypt victims’ data, but also use other aggressive tactics to extort money. By familiarizing yourself with the tactics employed by Space Bears and Lexus, you can improve your digital defenses. Arming yourself with knowledge and adopting robust security practices is the key to staying one step ahead of these sophisticated threats.
The origins and evolution of Phobos ransomware
The emergence of Phobos
Since May 2018, the Phobos ransomware has been racking up victims around the world. Appearing as a serious threat already a few years ago, it has historically targeted mainly small and medium-sized businesses thanks to vulnerable Remote Desktop Protocol (RDP ). Cybercriminals exploit these security holes to infiltrate systems before encrypting files and demanding ransom. A variant of the once-prevalent Dharma ransomware, Phobos is deployed under a RaaS operation, with versions of the malware licensed to separate teams to extort victims and offer RaaS operators a share of the profits.
Features and operation
Phobos stands out for its ability to encrypt not only local files, but also those shared on a network. On top of this, this ransomware disables firewalls and deletes volume backups to make it harder to recover data without paying the ransom. It ensures persistence in the infected system by duplicating itself in certain directories and registering with specific keys in the Windows registry. Phobos variants are also frequently used in other ransomwares such as 8base, and new variants, or suspected variants, appear sporadically. Indeed, it’s fair to assume that this is also the case for Space Bears and Lexus. According to a TrendMicro survey for the first quarter of 2024, published in May 2024, the 8Base ransomware “has been observed using version 2.9.1 of the Phobos ransomware. This version uses SmokeLoader for initial obfuscation of payload entry, unwrapping and loading.”
Lexus ransomware anatomy
Identification and meaning of extensions
Lexus ransomware is a serious threat to the security of personal and business data. Recently discovered, this malware aims to encrypt your files and demand a ransom to unlock them. Lexus belongs to the Phobos ransomware family, known for its ability to disable firewalls and delete “shadow copies”. When Lexus renames files, it adds a specific extension that includes the victim’s identifier, an email address (), and the .Lexus extension. This method enables operators to easily trace victims and centralize ransom demands.
The ransom message
The message left by Lexus informs victims that their data has been both encrypted and downloaded. This message also promises that the data will be deleted after payment, however, if no response is received within two days, the data will be sold to interested parties.
Advice in the event of infection
We strongly advise against paying the ransom. Hackers may never provide the promised decryption tools. To guard against financial and data loss, it’s advisable to maintain backup copies of important files on a remote server or disconnected storage device. If your files have become inaccessible, you can often entrust them to companies specializing in encrypted data recovery, such as SOS Ransomware.
The Space Bears double extortion strategy
A recent arrival
Space Bears is a new name in the world of ransomware. In April 2024,S-RM’s Cyber Threat Intelligence team identified a new operator affiliated to the Phobos ransomware-as-a-service (RaaS) group, using a new leak site, titled “Space Bears”, to extort a victim in exchange for a ransom payment. The appearance of this site follows other sightings of operators using the 8Base leak site as a place to publish victim data.
The Space Bears attracted attention with a series of attacks in 2024, affecting at least seven victims in their first wave. Information on this organization is limited, but their approach already seems effective and intimidating.The Space Bears group quickly gained notoriety for its corporate-themed data leak site and strategic alliances. Their strategic alignment with Phobos demonstrates their capability and reach, suggesting a high level of organization and potentially significant financial support, indicative of a well-coordinated international cybercriminal network.
Double extortion: increased pressure on victims
The main technique used by Space Bears is double extortion. Not only do they encrypt data, they also threaten to publish it if the ransom is not paid. Space Bears also use a “wall of shame” to publicly humiliate victims, adding further pressure and reputational risk, thus increasing the chances of receiving payment.
Resist the temptation to negotiate
As with Lexus, it’s advisable not to give in to ransom demands. This may encourage more attacks. It’s more important to strengthen your defenses against cyber threats than to finance these cybercriminals.
Common distribution mechanisms
Remote Desktop Protocol (RDP) vulnerability
RDP remains a prime target for ransomware distributors such as Lexus and Space Bears, and is a particular feature of Phobos ransomware. Cybercriminals are actively looking for weak points in these services to penetrate networks and deploy their attacks.
Malicious e-mails
Another classic but still effective vector is the use ofe-mails containing malicious links or attachments. Educating employees about the risks associated with suspicious e-mails remains crucial to preventing infection. Phishing remains a constant threat, and its messages are becoming more and more elaborate, making them even harder to detect, so be careful!
Prevention and protection measures
The constant threat of data theft by ransomware means that organizations need to prioritize securing sensitive data to limit the business impact of an incident involving data loss. We recommend implementing the following measures to protect against the impact of data theft:
- Maintain regular backups, keep backup copies of your essential files offline or on remote servers. This will enable you to restore data without having to pay a ransom.
- Encrypt sensitive data in transit and at rest to prevent unauthorized access, should sensitive data be intercepted by a third party.
- Reinforce RDP security, ensuring that your RDP access is secured by strict policies, including the use of strong passwords andmulti-factor authentication. It’s important to regularly scan and monitor RDP ports that may have been opened by accident or misconfiguration.
- Implement robust data governance policies. Companies are often unaware of the amount of obsolete data still available in their systems, such as old (ex-)employee or customer files. Periodically deleting this data and implementing a data retention policy already reduces some of the impact of data theft.
- Install an EDR (Endpoint Detection and Response) on all systems. This will enable any suspicious or malicious activity to be quickly detected and responded to.
- Ongoing training and awareness, investing in employee training on digital threats and good security practices can significantly reduce the risk of infection.
In conclusion, although Lexus and Space Bears and all the ransomware in the Phobos family represent serious threats in the ransomware arena, proactive measures can help minimize the risks. Understanding attack paths and strengthening defenses remain the best strategies for protecting against these new forms of cybercrime.
