Critical Infrastructure Organizations Warned of Phobos Ransomware Attacks

CISA, the FBI, and MS-ISAC have released a joint advisory warning against ongoing Phobos ransomware attacks targeting government, education, emergency services, healthcare, and other critical infrastructure sectors. The advisory includes TTPs employed by Phobos ransomware, including how the group conducts reconnaissance and gains initial access to victim environments, as well as various methods used to maintain persistence, escalate privileges, and encrypt files for impact. The agencies have also provided a set of recommendation measures as well as IOCs which can be used by organizations to defend against potential Phobos ransomware attacks.

Security Officer Comments:
Like most cybercriminal operations Phobos employs spear-phishing attachments to infect potential victims. According to the agencies, these actors will conduct scans using tools like Angry IP Scanner to look for vulnerable RDP ports, which when found are exploited for initial access to victim environments. After the initial entry is secured, the actors will modify firewall configurations and Registry keys to evade defenses and maintain persistence, which is followed by the deployment of various payloads that lead to the execution of the gang’s encryptor. To ensure victims can’t recover their files, Phobos will also identify and delete data backups.

Suggested Corrections:
To mitigate Phobos ransomware activity, organizations have been advised to:
  • Secure RDP ports to prevent threat actors from abusing and leveraging RDP tools.
  • Prioritize remediating known exploited vulnerabilities.
  • Implement EDR solutions to disrupt threat actor memory allocation techniques.