Since 2019, Phobos ransomware has targeted critical infrastructure sectors, with attacks resulting in the successful encryption of data and ransom demands totaling millions of dollars. Phobos operates as a ransomware-as-a-service (RaaS) model, facilitating various extortion campaigns that cause significant financial harm to victims.
A recent advisory issued by several U.S. cybersecurity and intelligence agencies, including the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), sheds light on the sophisticated tactics used by threat actors in deploying Phobos.
Phobos ransomware is often paired with various open-source tools like SmokeLoader, Cobalt Strike, and Bloodhound. These tools are readily available and are user-friendly across different operating environments, making Phobos and its variants a popular choice among threat actors. These recognizable tools are increasingly being utilized by threat actors in attacks targeting county governments, emergency services, educational institutions, and other entities.
Let’s look at Phobos ransomware, the ransomware’s tactics and techniques, as well as recommendations on how organizations can protect themselves from this kind of threat actor.
Phobos ransomware, first identified in 2019, started its operations as a variant of Crysis/Dharma ransomware, and has since evolved into one of the most prolific ransomware strains in recent years. The ransomware’s authors leverage the RaaS model, allowing other cybercriminals to distribute the malware and conduct attacks on a wide range of targets.
Phobos variants, including Backmydata, Devos, Eight, Elking, and Faust, have targeted government agencies, healthcare facilities, educational institutions, and critical infrastructure organizations worldwide. The ransomware typically encrypts files on infected systems, rendering them inaccessible until a ransom is paid, often in cryptocurrency.
The group operates with sophisticated tactics and techniques, often leveraging social engineering and exploiting vulnerabilities in target networks. The malware's modular architecture allows threat actors to customize their attacks, making it challenging for cybersecurity defenses to detect and mitigate the ransomware. The use of legitimate tools and techniques, such as remote access tools and open-source reconnaissance tools, further complicates detection efforts, allowing threat actors to maintain persistence within compromised networks.
Phobos ransomware utilizes a variety of tactics and techniques to infiltrate and compromise target networks. It is among the ransomware that is distributed through compromised Remote Desktop (RDP) connections. This method of infiltration is not uncommon, considering that hacked RDP servers are readily available in the underground market at affordable prices. As a result, threat groups find hacked RDP servers to be an appealing and cost-effective means of spreading their ransomware.
Phishing emails containing malicious attachments or links are a common method used by threat actors to deliver the Phobos ransomware payload. Additionally, threat actors utilize brute-force attacks to gain unauthorized access to networks.
Once inside the network, threat actors deploy remote access tools to establish a foothold, escalate privileges, and maintain persistence. Data exfiltration, deletion of backups, and widespread encryption of connected drives are primary objectives of Phobos attacks, often accompanied by threats of data leakage to coerce victims into paying the ransom.
Once inside the network, Phobos actors execute additional payloads with elevated privileges, utilizing executables like 1saas.exe or cmd.exe. These commands allow for various Windows shell functions, granting control over system aspects with different permission levels. Threat actors exploit Windows API functions to bypass access controls, steal tokens, and escalate privileges, persistently attempting to authenticate until domain administrator access is achieved.
Phobos ransomware uses a standardized three-phase process, leveraging Smokeloader to decrypt payloads and deploy additional malware. Smokeloader manipulates API functions to evade network defenses and obfuscate command and control activity, ultimately unpacking and executing payloads from stored memory. This sophisticated deployment mechanism allows threat actors to execute malicious operations covertly.
As for the encryption process, the researchers at Malwarebytes Labs analyzed the following sample of Phobos ransomware:
a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2
They found that the ransomware is capable of encrypting files even without an internet connection, suggesting the presence of a hardcoded public key within its system. Each file undergoes encryption using either an individual key or an initialization vector, resulting in different ciphertexts for the same plaintext.
Image 1: Encryption Process
Source: Malwarebytes Lab
A wide range of files, including executables, fall victim to encryption. The threat actors append their email to the encrypted files, distinguishing them. Also, this specific variant of Phobos appends the extension '.acute' to the encrypted files, though other variants may use different extensions, typically following the pattern of .id[-][].
Upon analysis, Malwarebytes found that the encrypted content reveals no discernible patterns, indicating potential use of a stream cipher or a cipher like AES in CBC mode. This encryption process is illustrated in the transformation of a BMP file before and after encryption.
The encrypted file contains a distinct block at the end, separated from the encrypted content by padding bytes. The initial 16 bytes of this block vary for each file, possibly serving as an Initialization Vector. Additionally, a 128-byte block, consistent across files from the same infection, suggests the presence of an encrypted key uniquely generated in each run. Finally, a 6-character keyword, such as 'LOCK96', marks the conclusion of the encrypted file. Different versions of Phobos may use varying keywords, like 'DAT260'.
The ransomware code lacks obfuscation but uses AES encryption to protect certain constants and strings, decrypting them as needed. The AES key, although obfuscated, is hardcoded and imported whenever data decryption is required, with the Initialization Vector set to 16 NULL bytes.
Decrypted strings include a list of targeted file extensions and keywords. These extensions likely aid in identifying already encrypted files within the same ransomware family, with the extension for the current encryption round being hardcoded. Additionally, an encrypted string outlines the file extension formula, incorporating the Victim ID.
Before initiating encryption, the ransomware terminates a predefined list of processes to prevent them from impeding access to the targeted files. This list includes various processes such as database services (e.g., msftesql.exe, sqlservr.exe), desktop applications (e.g., excel.exe, outlook.exe), and communication tools (e.g., thunderbird.exe, skype.exe). These processes are systematically terminated to ensure smooth execution of the encryption process without interference from active applications or services.
Before initiating its malicious activities, Phobos checks the system locale, specifically examining the 9th bit of the output to identify systems with Cyrillic alphabets set as default, which it then avoids affecting. Both local drives and network shares are targeted for encryption, with Phobos first listing all files and comparing their names against hardcoded lists stored within the binary in AES encrypted form, separated by the delimiter ';'.
These lists include blacklists of system-related files and Phobos ransom note filenames, along with directories to skip, such as "C:\Windows". Additionally, there's a whitelist of file extensions, encompassing a wide range of formats from multimedia to document types, ensuring thorough encryption coverage during its operations.
Image 1: Phobos Ransomware Note
Source: Malwarebytes Lab
Phobos actors utilize WinSCP and Mega.io for file exfiltration, targeting legal, financial, and technical documentation for exfiltration. Following data exfiltration, threat actors hunt for and delete backups, preventing file recovery. Phobos ransomware encrypts all connected logical drives on the target host, continuing to search for and encrypt additional files while leveraging email, voice calls, and onion sites for extortion and communication purposes.
Phobos ransomware is a challenge for organizations across multiple sectors, as the ransomware’s threat actors use complex tactics to infiltrate networks, encrypt data, and demand ransom payments. From exploiting vulnerabilities in remote access protocols to using advanced encryption methods and obfuscation techniques, Phobos actors demonstrate a high level of sophistication in their operations.
The ransomware's impact extends beyond data encryption, which can lead to the disruption of critical systems and business operations. To mitigate the threat of Phobos and similar ransomware variants, organizations must prioritize strong cybersecurity measures, including secure remote access practices, comprehensive endpoint protection, regular data backups, and employee training to identify and respond to potential threats.
MD5
SHA1
SHA256
Domains
IPV4
Note: There are also several IoCs that are connected to 8Base ransomware. 8Base has been known to use Phobos ransomware in their attacks. You may find the complete list of 8Base IoCs here.
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from Snatch Ransomware:
#StopRansomware: Phobos Ransomware | CISA
#StopRansomware: Phobos Ransomware (cisa.gov)
Phobos Ransomware Analysis, Simulation and Mitigation- CISA Alert AA24-060A (picussecurity.com)
A deep dive into Phobos ransomware | Malwarebytes Labs
Phobos Ransomware Targeting U.S. Government and Critical Infrastructure (pcmatic.com)
overview-phobos-ransomware.pdf (hhs.gov)
Critical Infrastructure Organizations Warned of Phobos Ransomware Attacks - SecurityWeek
FBI, CISA Release IoCs for Phobos Ransomware (darkreading.com)
Another Phobos Ransomware Variant Launches Attack – FAUST | FortiGuard Labs (fortinet.com)
A deep dive into Phobos ransomware, recently deployed by 8Base group (talosintelligence.com)
Phobos (Malware Family) (fraunhofer.de)
Understanding the Phobos affiliate structure and activity (talosintelligence.com)
CISA Warns Phobos Ransomware Groups Attacking Critical Infrastructure - Security Boulevard
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.