Connect with us

Hi, what are you looking for?



Critical Infrastructure Organizations Warned of Phobos Ransomware Attacks

US government agencies warn of Backmydata, Devos, Eight, Elking, and Faust ransomware attacks connected to Phobos.

US government agencies on Thursday warned organizations of ongoing Phobos ransomware attacks targeting government, education, emergency services, healthcare, and other critical infrastructure sectors.

Active since May 2019, Phobos operates under the ransomware-as-a-service (RaaS) business model and has successfully extorted several millions of dollars from victim organizations, CISA, the FBI, and MS-ISAC say in a joint advisory.

Based on similar tactics, techniques, and procedures (TTPs), Phobos is linked to ransomware variants such as Backmydata, Devos, Eight, Elking, and Faust, and has been deployed in conjunction with tools popular among cybercriminals, including Bloodhound, Cobalt Strike, and SmokeLoader.

Phobos attacks typically start with phishing emails dropping IP scanning tools aimed at identifying vulnerable Remote Desktop Protocol (RDP) ports, which are then brute-forced for access and company profiling.

“Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network,” the joint advisory reads.

The attackers were also seen using spoofed email attachments to deliver malicious payloads such as the SmokeLoader backdoor, which is then used to deploy Phobos and exfiltrate data from the victim’s network.

Cybercriminals were also seen running legitimate executables to deploy additional payloads with elevated privileges, modifying system firewall configurations to bypass network defenses, and using Windows Startup folders and Run Registry Keys to maintain persistence.

Reconnaissance, credential harvesting, and discovery have been performed using open source tools, including Bloodhound, Sharphound, Mimikatz, NirSoft, and Remote Desktop Passview. Legitimate tools such as WinSCP and have been used for data exfiltration to FTP servers or cloud storage.

Advertisement. Scroll to continue reading.

The US government agencies also note that Phobos has been observed identifying and deleting data backups to prevent recovery, and encrypting all connected logical drives on the target machine.

While extortion typically occurs via email, some Phobos affiliates would use voice calls to contact their victims. Instant messaging applications have been used for communication. Compromised organizations have been listed on Tor-based sites that also host allegedly stolen data.

The joint advisory also contains indicators of compromise (IoCs) that organizations can use to hunt for potential Phobos ransomware compromise, as well as recommended mitigations.

“The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents,” the advisory reads.

Related: Ransomware Attack Knocks 100 Romanian Hospitals Offline

Related: Dozens of Businesses Hit Recently by ‘8Base’ Ransomware Gang

Related: Change Healthcare Confirms BlackCat Ransomware Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.


Johnson Controls has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27Tb of information from the company.