Phobos Ransomware Targets U.S. Critical Infrastructure

U.S. cybersecurity and intelligence agencies have issued a warning regarding the aggressive targeting of government and critical infrastructure entities by the Phobos ransomware. The ransomware-as-a-service (RaaS) model used by Phobos actors has successfully targeted municipal and county governments, emergency services, education, public healthcare, and critical infrastructure, resulting in several million dollars in ransom payments.

Since its emergence in May 2019, multiple variants of Phobos ransomware, including Eking, Eight, Elbie, Devos, Faust, and Backmydata, have been identified. Recent findings revealed that the 8Base ransomware operators are using a variant of Phobos ransomware in their attacks.

Phobos ransomware attacks typically begin with phishing emails or by exploiting vulnerabilities in exposed RDP services through brute-force attacks. Once inside a network, the threat actors deploy additional tools for remote access, use process injection techniques to execute malicious code, and modify Windows Registry settings to maintain persistence.

The ransomware operators have been observed using various tactics to escalate privileges, including stealing tokens, bypassing access controls, and creating new processes. They also use open-source tools like Bloodhound and Sharphound to enumerate active directory, and employ WinSCP and Mega.io for file exfiltration, followed by deletion of volume shadow copies to hinder recovery efforts.

A recent coordinated ransomware attack, attributed to a group known as CACTUS, targeted two separate companies simultaneously, demonstrating a sophisticated and synchronized approach. This attack, which impacted virtualization infrastructure such as Hyper-V and VMware ESXi hosts, exploited a critical security flaw in an internet-exposed Ivanti Sentry server less than 24 hours after its disclosure in August 2023.

Despite the prevalence of ransomware attacks, paying ransom demands does not guarantee data recovery or protection from future attacks. According to the report, the median initial ransomware demand reached $600,000 in 2023, a 20% increase from the previous year, with an average payment of $568,705 per victim as of Q4 2023.

The data shows that 78% of organizations that paid ransom demands were attacked again, often by the same threat actor, within a year. This underscores the importance of robust cybersecurity measures to prevent and mitigate ransomware attacks.

Defending against Phobos ransomware requires a multi-layered approach, including regular backups of critical data, implementation of strong endpoint security solutions, and continuous monitoring for suspicious activities. It’s also crucial to educate employees about phishing and other common attack vectors used by ransomware operators.