US government agencies on Thursday warned organizations of ongoing Phobos ransomware attacks targeting government, education, emergency services, healthcare, and other critical infrastructure sectors.
Active since May 2019, Phobos operates under the ransomware-as-a-service (RaaS) business model and has successfully extorted several millions of dollars from victim organizations, CISA, the FBI, and MS-ISAC say in a joint advisory.
Based on similar tactics, techniques, and procedures (TTPs), Phobos is linked to ransomware variants such as Backmydata, Devos, Eight, Elking, and Faust, and has been deployed in conjunction with tools popular among cybercriminals, including Bloodhound, Cobalt Strike, and SmokeLoader.
Phobos attacks typically start with phishing emails dropping IP scanning tools aimed at identifying vulnerable Remote Desktop Protocol (RDP) ports, which are then brute-forced for access and company profiling.
“Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network,” the joint advisory reads.
The attackers were also seen using spoofed email attachments to deliver malicious payloads such as the SmokeLoader backdoor, which is then used to deploy Phobos and exfiltrate data from the victim’s network.
Cybercriminals were also seen running legitimate executables to deploy additional payloads with elevated privileges, modifying system firewall configurations to bypass network defenses, and using Windows Startup folders and Run Registry Keys to maintain persistence.
Reconnaissance, credential harvesting, and discovery have been performed using open source tools, including Bloodhound, Sharphound, Mimikatz, NirSoft, and Remote Desktop Passview. Legitimate tools such as WinSCP and Mega.io have been used for data exfiltration to FTP servers or cloud storage.
The US government agencies also note that Phobos has been observed identifying and deleting data backups to prevent recovery, and encrypting all connected logical drives on the target machine.
While extortion typically occurs via email, some Phobos affiliates would use voice calls to contact their victims. Instant messaging applications have been used for communication. Compromised organizations have been listed on Tor-based sites that also host allegedly stolen data.
The joint advisory also contains indicators of compromise (IoCs) that organizations can use to hunt for potential Phobos ransomware compromise, as well as recommended mitigations.
“The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents,” the advisory reads.
Related: Ransomware Attack Knocks 100 Romanian Hospitals Offline
Related: Dozens of Businesses Hit Recently by ‘8Base’ Ransomware Gang
Related: Change Healthcare Confirms BlackCat Ransomware Attack