U.S. Authorities Issue Cybersecurity Advisory on Phobos Ransomware Threats

In a dire alert on cyber security, U.S. federal agencies have listed operational patterns which include the methods of attack and compromise signs related to Phobos ransomware and its like, based on intelligence until recently.

Since May 2019 when it first appeared, Phobos is a ransomware-as-a-service (RaaS) that has victimized various victims at other governmental levels (state, local, tribal and territorial) as well as sectors covering emergency services, education, healthcare and critical infrastructure, coupled with demands sometimes reaching into millions of dollars.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are the three organizations that issued the joint warning.

The advisory also stated that Phobos has close links with other ransomware organizations like Elking, Eight, Devos Backmydata and Faust on account of similarities in their attacking techniques. Additionally, the variant is popular among hackers as it is easy to deploy. It works on platforms like Smokeloader; Cobalt Strike and Bloodhound.

The agencies’ research reveals the initial invasion methods used by Phobos attackers, such as phishing and scanning for open Remote Desktop Protocol (RDP) ports with tools such as Angry IP scanner.

With these tactics, they can stealthily intrude into networks and activate ransomware.

How Hackers Deploy Phobos

To counteract these hazards, the agencies recommend hardening RDP configurations, timely patching of vulnerabilities and utilization of advanced EDR platforms.

The report further demonstrated how threat actors use the said the ransomware. They brute force RDP sessions, and install remote access tools after a breach. They carried out all these operations SmokeLoader trojan to pave the way for further infiltration of Phobos ransomware.

Other than that, the alarm brings out the ways through which such enemies can maintain accessibility and avoid detection by, for example, changing the settings of the firewall. There were indications of altering firewall setting, using anti-detection tools and applying native system utilities to elevate privileges as well as exfiltrating data.

Defensive strategies presented here include tightening up remote access security; implementing strict software execution policies; and adopting comprehensive logging practices that incorporate intrusion detection.

The warning also uncovers the tactics used by these adversaries to maintain access and evade detection, such as altering firewall settings, employing anti-detection tools, and utilizing native system utilities to escalate privileges and siphon off data.

Highlighted defensive strategies include enhancing remote access security, applying stringent software execution policies, and adopting comprehensive log collection and intrusion detection practices.