Ebaka Ransomware is Based On Phobos Code

During the examination of recent malware samples, our research team came across the Ebaka ransomware, which is a member of the Phobos ransomware family. Ebaka has been designed to encrypt files and demands payment in exchange for their decryption.

On our test system, this malicious software altered files through encryption, modifying their filenames. The original titles were extended with a distinctive ID assigned to the victim, the email address of the cybercriminals, and a ".ebaka" extension. For instance, a file originally named "1.jpg" was transformed into "1.jpg.id[1E857D00-3323].[datadownloader@proton.me].ebaka".

Upon completing this process, Ebaka generated ransom notes and placed them on the desktop and within all encrypted directories. One note appeared as a pop-up window ("info.hta"), while the other was a text file ("info.txt"). The text file conveys the message that the victim's files have been encrypted and urges them to contact the attackers for decryption.

The contents of the ransom note shown in the pop-up window provide additional details about the infection, specifying that decryption requires the payment of a ransom in Bitcoin cryptocurrency. Allegedly, the payment amount depends on how quickly the victim establishes contact with the cybercriminals.

Before complying with the ransom demands, the victim has the option to test decryption by sending the attackers up to five encrypted files, subject to certain limitations. The message also cautions against modifying the locked files or using third-party decryption tools, as such actions may result in permanent data loss. Additionally, the victim is warned that seeking assistance from third parties could escalate financial losses.

Ebaka Ransom Note in Full

The complete text of the Ebaka ransom note reads as follows:

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail datadownloader@proton.me
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail:datadownloader@tutanota.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

How Can Ransomware Infect Your Computer?

Ransomware can infect your computer through various means, and attackers often use social engineering tactics to trick users into downloading or executing malicious code. Here are some common methods by which ransomware can infect a computer:

Phishing Emails:
Email Attachments: Cybercriminals often send phishing emails with malicious attachments, such as infected Word documents or PDF files. When the user opens the attachment, the ransomware is executed.
Malicious Links: Phishing emails may contain links to fake websites that host ransomware. Clicking on these links can trigger the download and installation of the ransomware on your computer.

Malicious Websites:
Visiting compromised or malicious websites can expose your computer to drive-by downloads, where malware, including ransomware, is automatically downloaded and executed without your knowledge.

Malvertising:
Cybercriminals may compromise legitimate online advertising networks and place malicious advertisements (malvertisements) on websites. Clicking on these ads can lead to the download of ransomware.

Exploit Kits:
Exploit kits are malicious toolkits that take advantage of vulnerabilities in software or browsers. If your system is not up-to-date with the latest security patches, an exploit kit can exploit these vulnerabilities to deliver ransomware.

Remote Desktop Protocol (RDP) Attacks:
Attackers may attempt to gain unauthorized access to your computer by exploiting weak or default passwords on Remote Desktop Protocol. Once inside, they can deploy ransomware.