Cybersecurity · · 2 min read

VX-Underground Malware Collective: A Victim of Ransomware Framing

VX-Underground Malware Collective: A Victim of Ransomware Framing

A new development has surfaced involving the Phobos ransomware and VX-Underground, a well-known malware-sharing collective. This incident sheds light on the intricate and sometimes deceptive tactics used in the cybercrime landscape.

The Emergence of Phobos Ransomware

Phobos ransomware, believed to be derived from the Crysis ransomware family, emerged in 2018. Unlike some of its notorious counterparts, Phobos hasn't evolved into a massive operation known for high-value attacks and demands for substantial ransoms. Nonetheless, its impact is significant, contributing to 4% of all submissions to the ID Ransomware service in 2023​​.

Framing VX-Underground

A notable aspect of this story is the framing of VX-Underground by a new variant of Phobos ransomware. Discovered by the ransomware hunter PCrisk, this variant manipulates file extensions during encryption, appending a string that includes the email address 'staff@vx-underground[.]org' and the extension 'VXUG,' which stands for VX-Underground​​.

Ransom Notes and Taunts

The Phobos ransomware leaves behind two types of ransom notes. The first, a text file titled 'Buy Black Mass Volume II.txt,' includes a tongue-in-cheek reference to VX-Underground, stating that the decryption password is not "infected," a nod to the password used on all VX malware archives​​. The second, an HTA file, features the VX-Underground logo and contact information, furthering the illusion of their involvement​​.

The Broader Context of Cybersecurity Taunts

This framing is not an isolated incident in the cybersecurity realm. Security researchers and threat actors often engage in a game of digital cat-and-mouse, leading to taunts and references within malware and ransomware. Past examples include GandCrab ransomware naming its command and control servers after notable cybersecurity entities and the developer of Apocalypse ransomware embedding abusive comments about a ransomware expert in its encryptors​​.


The framing of VX-Underground by the Phobos ransomware variant is a vivid example of the complexities and unexpected turns in the cybersecurity landscape. It underscores the ongoing battle between cybercriminals and security researchers, a struggle marked by innovation, deception, and sometimes, a hint of dark humor. As this saga unfolds, it serves as a reminder of the ever-evolving nature of cyber threats and the need for vigilance in the digital age.

Read next