U.S. cybersecurity and intelligence agencies have issued a warning regarding Phobos ransomware attacks targeting government and critical infrastructure entities. The advisory, released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), details the tactics and techniques employed by threat actors utilizing Phobos ransomware.
Operating as a ransomware-as-a-service (RaaS) model since May 2019, Phobos ransomware has successfully targeted various sectors, including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure. The government reports that these attacks have resulted in ransoms amounting to several million U.S. dollars.
Multiple Phobos ransomware variants, such as Eking, Eight, Elbie, Devos, Faust, and Backmydata, have been identified. It is noteworthy that the 8Base ransomware group was revealed to be leveraging a Phobos ransomware variant in their financially motivated attacks, as disclosed by Cisco Talos.
The agencies note evidence suggesting centralized management of Phobos by a controlling authority that manages the ransomware’s private decryption key. Attack chains typically involve initial access via phishing or exploiting vulnerable networks through exposed RDP services, followed by the deployment of stealthy payloads and additional remote access tools. The threat actors employ various techniques, such as process injection and Windows Registry modifications, to evade detection and maintain persistence within compromised environments.
Furthermore, Phobos actors utilize built-in Windows API functions for token theft, bypassing access controls, creating new processes, and escalating privileges by leveraging the SeDebugPrivilege process. The group employs open-source tools like Bloodhound and Sharphound for active directory enumeration, conducts file exfiltration using WinSCP and Mega.io, and deletes volume shadow copies to hinder recovery efforts.
This disclosure coincides with Bitdefender’s report on a coordinated ransomware attack by the CACTUS group, impacting two separate companies simultaneously. Notably, the attack targeted the virtualization infrastructure, indicating a broadened focus beyond Windows hosts to Hyper-V and VMware ESXi hosts. The attackers exploited a critical security flaw (CVE-2023-38035) in an Ivanti Sentry server less than 24 hours after its disclosure in August 2023, underscoring the rapid weaponization of newly published vulnerabilities.
Ransomware remains a lucrative venture for threat actors, with median ransom demands reaching $600,000 in 2023, marking a 20% increase from the previous year. However, paying the ransom does not guarantee the safe recovery of data and systems, as evidenced by Cybereason’s data showing that 78% of organizations attacked after paying the ransom were targeted again, often by the same threat actor.