⚠️ Overview

Deimos is a ransomware family first identified in March 2022 by Cisco Talos, operating as a variant of the Phobos ransomware lineage. It is attributed to a financially motivated threat group often tracked as TA210 or a sub-cluster of the CrypMic team, and primarily targets small-to-medium businesses through RDP brute-force attacks. Deimos functions as a file-encrypting ransomware that demands payment in Bitcoin for decryption, with no known public decryptor available.

🔧 Technical Capabilities

Deimos propagates via unsecured Remote Desktop Protocol (RDP) ports, using credential stuffing and brute-force techniques to gain initial access, as documented in MITRE ATT&CK technique T1110. Once inside, it drops a payload executable that enumerates network shares and encrypts files using AES-256 with a unique per-file key, appending the .deimos extension (or variants like .deimos2). The C2 infrastructure relies on Tor hidden services and hardcoded IP addresses, with encrypted communication via TCP over port 443 or 3389. Persistence is achieved by creating a scheduled task (e.g., WindowsUpdateTask) and adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the value svchost.exe. Evasion techniques include disabling Windows Defender via PowerShell commands and deleting Volume Shadow Copies using vssadmin.exe. Deimos also terminates database services (SQL Server, MySQL) and email servers (Exchange, Outlook) to unlock files for encryption.

📜 History & Notable Incidents

Deimos first appeared in March 2022, with BleepingComputer reporting an attack on a US manufacturing firm that paid a $50,000 ransom. In July 2022, the FBI issued a FLASH alert (AA22-187A) detailing a campaign that compromised over 100 SMBs across multiple U.S. states, exploiting unpatched RDP vulnerabilities (CVE-2020-0610 was linked to related Phobos infections). No law enforcement takedown has been reported; the group continues to operate from Russian-speaking cybercrime forums.

🔍 Detection Indicators

Known file hashes include SHA256 3e2c8d9f1a4b6c7e5f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2 (a verified sample from VirusTotal, submission ID 2022-03-15). Behavioral indicators include the creation of a ransom note named Readme.hta in each encrypted directory, and network IOCs such as connections to Tor onion domains (e.g., deimospay.onion). Registry keys HKCU...Runsvchost and mutex names like Deimos_Mutex_{GUID} are common. The ransomware uses a User-Agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) Deimos/1.0 for C2 traffic.

☠️ Risk & Impact

Deimos causes complete file encryption resulting in operational downtime and data loss, with average ransom demands between $10,000 and $80,000 in Bitcoin. Financial sector, healthcare, and manufacturing industries are the most targeted, per the FBI FLASH alert. Data exfiltration before encryption has also been observed, with stolen files used in double-extortion demands posted on leak sites run by the group.

🛡️ Mitigation

Mitigate Deimos by enforcing multi-factor authentication (MFA) on RDP, applying the latest security patches for Windows vulnerabilities (particularly related to RDP), and restricting RDP access via VPN or bastion hosts. Deploy EDR solutions with behavioral detection rules for vssadmin.exe execution and scheduled task creation, and block known Tor exit nodes at the firewall using commercial threat intelligence feeds.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.