The recent joint effort by the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) has shed light on the tactics and techniques employed by threat actors to deploy the Phobos ransomware strain on target networks. This advisory, part of an ongoing initiative to combat ransomware, is a collaborative effort with the Multi-State Information Sharing and Analysis Center (MS-ISAC) and aims to provide important insights for security and IT administrators.
Phobos ransomware first emerged in 2019 and has gained notoriety for its ransomware-as-a-service model, making it one of the more prevalent strains in recent years. The Phobos variant known as 8Base even made it to the top 10 list of most active ransomware threats in 2023 according to Black Fog. The targets of Phobos attacks have spanned various sectors including state, county, and municipal governments, healthcare, education, and critical infrastructure.
In a recent incident, a Phobos-affiliated threat actor infected systems at approximately 100 hospitals in Romania using a variant called Backmydata. The attackers first compromised a central health information system which then led to the infiltration of these hospital networks. This event underscores the severity and impact of ransomware attacks on critical services.
The advisory highlights the diverse tactics employed by Phobos threat actors to gain initial access to victim networks. Phishing emails have been a common method used to distribute the ransomware payload, along with the use of the SmokeLoader dropper in email attachments. Additionally, actors have been seen scanning the Internet for exposed RDP ports and utilizing brute-force password-guessing tools to gain entry into networks.
Once inside a network, Phobos threat actors utilize privilege escalation techniques to gain control over systems. This involves running executables to escalate privileges, bypassing access control, and creating new processes to elevate their status. The ransomware also employs persistence mechanisms like using Windows Startup folders and modifying registry keys to hinder backup and recovery efforts by victims.
A particularly concerning tactic employed by Phobos actors is data exfiltration before encrypting systems. By stealing sensitive data and threatening to release it, threat actors create additional leverage to extort payment from victims. Financial records, legal documents, and network-related information are among the data frequently targeted. To ensure victims cannot recover their data without paying the ransom, threat actors also seek out and delete any existing backups.
Overall, the advisory by the FBI and CISA provides crucial insights into the evolving tactics of Phobos ransomware threat actors. The detailed information and indicators of compromise included in the advisory aim to empower organizations to better detect and respond to potential Phobos infections. As ransomware attacks continue to pose a significant threat to organizations of all sizes, collaboration and information-sharing efforts like these are essential in building a more resilient cybersecurity posture.