The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have released details on the tactics and techniques threat actors are using to deploy the Phobos ransomware strain on targeted networks.
THE consultative is part of an ongoing effort to stop ransomware by the two entities working in collaboration with the Multi-State Information Sharing and Analysis Center (MS-ISAC). It’s similar to several warnings issued in recent months about particularly nasty ransomware threats.
Like previous advisories, the latest includes indicators of compromise that IT and security administrators can use to quickly detect and respond to potential Phobos infections.
A relatively prolific threat
Phobos ransomware first emerged in 2019. Since then, its authors have used a ransomware-as-a-service model to distribute the malware, which has helped make Phobos one of the most widely distributed ransomware strains in the last years. A variant of Phobos called 8Base has been classified in Black Fog’s list of The 10 most active ransomware threats in 2023. Phobos victims over the years include state, county and municipal governments, as well as organizations in the healthcare, education and critical infrastructure sectors.
In a recent incident, a threat actor affiliated with Phobos infected systems in approximately 100 hospitals in Romania with a variant of Phobos called Backmydata, first targeting a central healthcare information system they were connected to.
The FBI-CISA Alert identified Phobos threat actors using different tactics to gain initial access to victims’ networks. A common tactic has been to use phishing emails to opportunistically offload the payload onto victim networks. Another was to embed a dropper known as SmokeLoader into email attachments and use it to download Phobos onto systems belonging to victims who open the attachment.
Additionally, the researchers also observed Phobos actors scanning the Internet for exposed RDP ports on which they then used open source brute force password guessing tools to gain access. “If Phobos actors successfully achieve RDP authentication in the targeted environment, they perform open source searches to create a victim profile and link the targeted IP addresses to their associated companies,” the advisory notes. “Threat actors leveraging Phobos have deployed remote access tools to establish a remote connection within the compromised network.”
Privilege escalation and persistence
Once on the network, Phobos threat actors often ran executables such as 1saas.exe or cmd.exe to escalate privileges and execute various Windows shell functions, including those to take control of systems. Additionally, according to the advisory, they exploited built-in Windows API functions to bypass access control, steal authentication tokens, and create new processes to elevate privileges. “Phobos authors attempt to authenticate themselves using cached password hashes on victim computers until they achieve domain administrator access,” the warning notes.
Ransomware persistence mechanisms include using Windows startup folders and using Windows registry keys to remove or disable functions that allow access to backups or aid in system recovery.
Before encrypting systems on a network, Phobos authors typically extracted data from them and then used the threat of disclosure of that data as further leverage to extort payment from victims. In many cases, threat actors targeted financial documents, legal documents, technical and network-related information, and databases for password management software, the advisory said. After the data theft phase, perpetrators search for and delete any data backups that victims may have in place to ensure that they cannot recover them without paying for the decryption key.