A ransomware incident was reported where an attacker encrypted a user’s files, appending the extension .3R9qG8i3Z to each affected file name. The attack is a variant of the well-known Phobos ransomware family, identified by cybersecurity researchers after the victim sought assistance.

Attack Characteristics and Ransom Note

Following the encryption process, a ransom note named ReadMe-3R9qG8i3Z.txt was left on the compromised system. This note provided instructions for the victim, including a personal ID and a contact email address: DataRecovery3r9qg8i3z@onionmail.org. The note contained a demand for the victim to make contact within 72 hours, threatening that data would be deleted otherwise. The primary infection vector for Phobos ransomware is typically through exposed Remote Desktop Protocol (RDP) services, and the user reporting the incident confirmed they had an open RDP port.

Identification and Decryption Status

Security researcher Michael Gillespie analyzed the provided samples and confirmed the malware is a variant of Phobos ransomware. According to the researcher, there is no known method to decrypt files encrypted by any Phobos variants for free. This leaves victims with limited options for data recovery outside of paying the ransom or restoring from offline backups. The analysis confirmed the direct link between this specific file extension and the broader Phobos ransomware operation.

Source: https://www.bleepingcomputer.com/forums/t/811740/ransomware-3r9qg8i3z/