FBI, CISA Release IoCs for Phobos Ransomware
The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have released details on the tactics and techniques threat actors are using to deploy the Phobos ransomware strain on target networks.
The advisory is part of an ongoing stop-ransomware effort by the two entities working in collaboration with the Multi-State Information Sharing and Analysis Center (MS-ISAC). It is similar to several alerts they have issued in recent months on particularly pernicious ransomware threats.
As with previous advisories, the latest one includes indicators of compromise that security and IT administrators can use to quickly spot and respond to potential Phobos infections.
A Relatively Prolific Threat
Phobos ransomware first surfaced in 2019. Since then, its authors have been using a ransomware-as-a-service model to distribute the malware, which has helped establish Phobos as one of the more widely distributed ransomware strains in recent years. A Phobos variant dubbed 8Base ranked in Black Fog’s list of the 10 most active ransomware threats in 2023. Phobos victims over the years include state, county, and municipal governments, as well as organizations in healthcare, education, and critical infrastructure sectors.
In one recent incident, a Phobos-affiliated threat actor infected systems at some 100 hospitals in Romania with a Phobos variant called Backmydata, by first targeting a central health information system to which they were connected.
The FBI-CISA advisory identified Phobos threat actors as using different tactics to gain initial access on victim networks. One common tactic has been to use phishing emails to drop the payload on victim networks in an opportunistic manner. Another has been to embed a dropper known as SmokeLoader in email attachments and use it to download Phobos on systems belonging to victims that open the attachment.
In addition, researchers have also observed Phobos actors scanning the Internet for exposed RDP ports on which they have then used open source brute-force password-guessing tools to gain access. “If Phobos actors gain successful RDP authentication in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies,” the advisory noted. “Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network.”
Privilege Escalation and Persistence
Once on a network, Phobos threat actors have often run executables such as 1saas.exe or cmd.exe to escalate privileges and to perform various Windows shell functions, including those for taking control of systems. Additionally, they have taken advantage of built-in Windows API functions to bypass access control, steal authentication tokens, and create new processes to elevate privileges, according to the advisory. “Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access,” the advisory noted.
The ransomware’s persistence mechanisms include using Windows Startup folders and using the Windows registry keys to remove or disable functions that enable access to backups or aid in system recovery.
Before encrypting systems on a network, Phobos actors have typically exfiltrated data from it and then used the threat of leaking that data as an additional leverage for extracting payment from victims. In many cases, the threat actors have targeted financial records, legal documents, technical and network-related information, and databases for password management software, the advisory said. After the data-theft phase, the actors hunt for and delete any data backups the victims might have in place to ensure they can’t recover without paying for the decryption key.