Related Families: Elking, Eight, Devos, Backmydata, Faust, Perdak, CrySiS, Dharma, SmokeLoader, Cobalt Strike, Bloodhound
Verticals Targeted: Critical Infrastructure, Government, Emergency Services, Education, Healthcare
Executive Summary
CISA recently released an advisory on Phobos ransomware being used to target critical infrastructure entities, including government entities, emergency services, education, public healthcare, and other unspecified entities.
Key Takeaways
- CISA recently released an advisory on Phobos ransomware being used to target critical infrastructure entities.
- Targeted verticals included government entities, emergency services, education, public healthcare, and other unspecified entities.
- The threat actors typically obtain initial access via phishing campaigns or RDP.
What is Phobos?
Phobos ransomware was first observed in 2019 and is potentially related to the Dharma ransomware family. It targets Windows systems and has been observed targeting critical infrastructure entities in the past, including the energy sector. We previously reported on Faust, a Phobos variant.
CISA recently released an advisory on Phobos ransomware being used to target critical infrastructure entities. As recently as February 2024, Phobos was observed targeting critical infrastructure entities including government entities, emergency services, education, public healthcare, and other unspecified entities.
The threat actors behind these attacks obtained initial access via one of two methods. The first method used phishing campaigns to drop hidden payloads. Spoofed email attachments included embedded hidden payloads, such as SmokeLoader backdoor. Once SmokeLoader infected the victim machine, the threat actors used it to deploy the secondary payload, Phobos.
For the second method, threat actors used IP scanning tools to discover vulnerable RDP ports, or used RDP on Windows environments. Once the threat actors found an exposed RDP service, they used open source tools to brute force access.
Once the victim system is compromised, the threat actors obtain and exfiltrate victim data then hunt for backups, deleting volume shadow copies to hinder file recovery. Phobos then encrypts all connected logical drives and populates the ransom note. While most Phobos related extortion occurs via email, some affiliates have used voice calls to contact victims.
According to CISA, Phobos ransomware shares similarities with other families including Elking, Eight, Devos, Backmydata, and Faust. Phobos was observed being used in conjunction with other tools including SmokeLoader, Cobalt Strike, and Bloodhound.
IOCs
PolySwarm actively tracks Phobos and has multiple samples of this family. We are also able to successfully extract Phobos ransom notes via triage. Hashes associated with recently reported Phobos activity are provided below.
7451be9b65b956ee667081e1141531514b1ec348e7081b5a9cd1308a98eec8f0
f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed
58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66
fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6
c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2
You can use the following CLI command to search for all Phobos samples in our portal:
$ polyswarm link list -f Phobos
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
