VX-Underground, a group that maintains an open-source library of malware code and research, says it is being framed by a new ransomware variant bearing its name.
The group shared a screenshot Monday on X, formerly known as Twitter, showing a ransomware popup directing victims to contact VX-Underground’s email or account on X to decrypt their files. PCrisk researchers, who first discovered the “Vx-underground” ransomware, identified it as a variant of the Phobos ransomware family.
“1. We are not Threat Actors,” VX-Underground tweeted in response to the impersonation. “2. It is insulting that you’d think we’d stoop so low as to use Phobos. Really? Phobos? Why would anyone use that hunk-of-junk?”
PCrisk’s initial report on the ransomware also states there is no connection between the Phobos variant and the VX-Underground group. The ransomware also uses the VX-Underground logo, the file extension “.VXUG” and a reference to “infected” — the password for the group’s malware repository — in its attempt to strengthen its association to the group.
VX-Underground responds to impersonation attempt
VX-Underground told SC Media it doesn’t plan to take any action in response to the attempted framing other than to spread awareness.
“We won’t do anything,” the group said via its X account. “We don’t personally believe anything serious will come from it because they would be losing money if they invested significant time, energy and money to do a large scale ransomware campaign. They wouldn’t be paid, it would just make us look like jerks.”
Hello,— vx-underground (@vxunderground) November 20, 2023
We are aware a Threat Actor is framing us with the name "Vx-underground ransomware".
1. We are not Threat Actors
2. It is insulting that you'd think we'd stoop so low as to use Phobos
Really? Phobos? Why would anyone use that hunk-of-junk? pic.twitter.com/NYAu54Dn3M
The PCrisk report confirms that the ransomware does not include any means to pay the variant’s actual creator, only including contact information for the legitimate VX-Underground group.
PCrisk founder Tomas Meskauskas, who authored the report, suggested the version his researchers discovered may have been released for testing purposes ahead of a future campaign.
VX-Underground said it does not know who the author of the variant bearing its name is, and did not confirm to SC Media whether it has received any correspondence from potential victims.
“Phobos is an old ransomware variant, it isn’t a large RaaS like Lockbit or ALPHV, Phobos is more designed to target home users,” the group explained. “The builder has been leaked dozens of times.”