.svg)
.svg)
The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
On February 29, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Phobos ransomware [1]. Phobos ransomware entered the ransomware scene in May 2019 and has been an active Ransomware-as-a-Service group targeting government, healthcare, education, and critical infrastructure organizations.
In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by Phobos ransomware and how organizations can defend themselves against Phobos ransomware attacks.
Phobos Ransomware
Phobos ransomware started its operations as a variant of Crysis/Dharma ransomware in May 2019. Phobos ransomware operates as the Ransomware-as-a-Service business model and has influenced many other ransomware variants such as Backmydata, Devos, Eking, Eight, 8Base, and Faust ransomware. These ransomware variants follow similar TTPs observed in Phobos attacks with small differences in file extensions for encrypted files.
As an initial access vector, Phobos threat actors often use phishing and brute-force attacks against exposed RDP services. After establishing an initial foothold in the target system, adversaries install remote access tools for persistence. Phobos and affiliated threat actors often use open-source tools like Bloodhound, Cobalt Strike, and SmokeLoader, as they are readily available and easy to use in different operating systems. These tools allow attackers to run reconnaissance in the compromised network, download additional malware, and establish covert communication with the adversary's C2 server. Lastly, Phobos operators exfiltrate their victims' sensitive files, delete backups, and encrypt all connected logical drives on the infected host.
Phobos Ransomware Analysis and MITRE ATT&CK TTPs
Initial Access
T1078 Valid Accounts & T1133 External Remote Services
Phobos threat actors scan for exposed RDP services and run brute-force attacks to acquire valid accounts. After gaining initial access, exploited RDP services also serve as a persistent connection to the target system.
T1566.001 Phishing: Spearphishing Attachment
Phobos operators use spearphishing emails to gain initial access to target systems. Adversaries craft benign-looking emails with malicious attachments to trick unsuspecting users into infecting their systems.
Execution
T1047 Windows Management Instrumentation
Phobos ransomware uses the following commands to delete volume shadow copies using Windows Management Instrumentation (WMI).
|
wmic shadowcopy delete |
T1059.003 Windows Command Shell
Adversaries use the following shell commands to impair defenses and inhibit system recovery.
|
//T1562 Impair Defenses netsh advfirewall set currentprofile state off netsh firewall set opmode mode=disable //T1490 Inhibit System Recovery vssadmin delete shadows /all /quiet |
T1106 Native API
In earlier Phobos samples, adversaries were observed using the following Windows Crypto API functions for key management and file encryption.
|
CryptDestroyKey CryptEncrypt CryptImportKey CryptGenRandom CryptSetKeyParam CryptAcquireContextW |
Persistence
T1547.001 Registry Run Keys / Startup Folder
Phobos ransomware places itself in the startup folder and registry keys for persistence.
|
C:/Users\Admin\AppData\Local\directory %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\{malware} %AppData%\Roaming\Microsoft\Start Menu\Programs\Startup\{malware} |
Privilege Escalation
T1055 Process Injection
Phobos threat actors use an open-source tool named Smokeloader for process injection. Smokeloader injects malicious code into legitimate processes like explorer.exe and allows adversaries to bypass defensive security controls.
T1134 Access Token Manipulation
Phobos ransomware uses a known vulnerability in the .NET Profiler DLL loading process to bypass UAC, allowing adversaries to execute commands with elevated privileges.
Defense Evasion
T1218.005 System Binary Proxy Execution: Mshta
Adversaries use a Windows native binary called mshta.exe to display the ransom note to victims.
|
mshta C:\%USERPROFILE%\Desktop\info.hta |
T1562 Impair Defenses
Phobos threat actors disable the system firewall using the commands below. Additionally, they use tools like PowerTool, Process Hacker, and Universal Virus Sniffer to impair and evade defenses.
|
netsh advfirewall set currentprofile state off netsh firewall set opmode mode=disable |
Credential Access
T1003 OS Credential Dumping & T1555 Credentials from Password Stores
Adversaries use Mimikatz dump credentials from LSASS memory. They also use NirSoft and Passview to export passwords from web browsers.
T1110 Brute Force
Phobos threat actors use brute-force attacks to gain access to valid accounts for exposed RDP services.
Discovery
T1087.002 Domain Account
Phobos operators use Bloodhound and Sharphound to enumerate the victim's Active Directory.
Collection
T1560 Archive Collected Data
Prior to exfiltration for double extortion, Phobos threat actors archive the victims' sensitive files either as .rar or .zip.
Command and Control (C2)
T1001 Data Obfuscation & T1105 Ingress Tool Transfer
Phobos threat actors use Smokeloader to obfuscate C2 communication by producing requests to legitimate websites and downloading additional malware to the compromised system.
T1071.002 File Transfer Protocols
Adversaries use WinSCP for data exfiltration to an adversary-controlled FTP server.
T1219 Remote Access Software
Phobos group uses AnyDesk for remote and persistent access to compromised hosts.
Exfiltration
T1048 Exfiltration Over Alternative Protocol & T1567.002 Exfiltration to Cloud Storage
Adversaries use WinSCP and mega.io to exfiltrate the victims' sensitive data to an FTP server or a cloud storage provider, respectively.
Impact
T1486 Data Encrypted for Impact
Phobos ransomware uses a hybrid cryptosystem to encrypt files. It uses AES-256 for symmetric encryption and RSA-1024 with a hardcoded key for asymmetric encryption.
T1490 Inhibit System Recovery
Adversaries use the following commands to delete volume shadow copies and prevent their victims from recovering their encrypted files.
|
vssadmin delete shadows /all /quiet |
How Picus Helps Simulate Phobos Ransomware Attacks?
We also strongly suggest simulating Phobos ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as LockBit, ALPHV, and CL0P, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Phobos ransomware:
|
Threat ID |
Threat Name |
Attack Module |
|
90644 |
PhobosRansomware Download Threat |
Network Infiltration |
|
20874 |
Phobos Ransomware Email Threat |
Email Infiltration (Phishing) |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Phobos ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Phobos ransomware:
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
09DBD3225 |
Ransomware.Win32.Phobos.TC.b384dDjK |
|
Check Point NGFW |
092E24180 |
Ransomware.Win32.Phobos.TC.8811RCRG |
|
Check Point NGFW |
092A9DE2C |
Ransomware.Win32.Phobos.TC.bc7aSUsc |
|
Check Point NGFW |
0E380BC15 |
Ransomware.Win32.Phobos.TC.35bfCltB |
|
Check Point NGFW |
0DE6590EC |
Ransomware.Win32.Phobos.TC.9e73OHi |
|
Cisco FirePower |
Win.Dropper.Phobos::in03.talos |
|
|
Cisco FirePower |
W32.102844E3E9.in12.Talos |
|
|
Cisco FirePower |
W32.Auto:fd7e8b.in03.Talos |
|
|
Cisco FirePower |
Ransom:GenericRXJO.26l4.in14.Talos |
|
|
Cisco FirePower |
W32.Auto:1c29b2bd22.in03.Talos |
|
|
Forcepoint NGFW |
File_Malware-Blocked |
|
|
Fortigate AV |
10084673 |
W32/FilecoderPhobos.C!tr.ransom |
|
Trellix |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
|
Palo Alto |
278539035 |
trojan/Win32 EXE.blocker.abhn |
|
Palo Alto |
615552159 |
Ransom/Win32.phobos.qy |
|
Palo Alto |
614519325 |
Ransom/Win32.phobos.qs |
|
Palo Alto |
613915407 |
Ransom/Win32.phobos.qr |
|
Palo Alto |
459798392 |
Ransom/Win32.phobos.rd |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Complete Security Validation Platform.
References
[1] "#StopRansomware: Phobos Ransomware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a. [Accessed: Mar. 01, 2024]
