Rewterz Threat Alert – Critical U.S. Infrastructure Continuously Targeted in Phobos Ransomware Attacks – Active IOCs

Severity

High

Analysis Summary

A recent warning issued by U.S. intelligence and cybersecurity agencies alerts about aggressive Phobos ransomware attacks that are targeting critical infrastructure and government entities. The advisory highlights multiple tactics and techniques that the ransomware gang uses to deploy the Phobos ransomware.

Phobos ransomware is structured as a ransomware-as-a-service (RaaS) model and its operators have targeted multiple sectors like county and municipal governments, education, emergency services, critical infrastructure, and public healthcare to successfully ransom millions of U.S. dollars. The joint advisory is by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Federal Bureau of Investigation (FBI).

The ransomware first emerged in May 2019 and since then, there have been several variants of Phobos ransomware identified, such as Backmydata, Faust, Devos, Elbie, Eight, and Eking. Other threat actors like the 8Base ransomware gang have also been observed leveraging a Phobos ransomware variant to carry out their cyberattacks. There is some evidence pointing out that Phobos is possibly closely managed by a central authority responsible for controlling the ransomware’s private decryption key.

Most of the attack chains that use the ransomware strain use phishing as an initial access vector to deploy stealthy loader malware such as SmokeLoader. Other times, vulnerable networks are breached using exposed RDP services and abusing them using brute-force attacks. Once the threat actor has successfully breached the system, they start dropping additional payloads for remote access tools to leverage process injection techniques and execute malicious code to evade detection. Persistence is maintained by making modifications to the Windows Registry within the compromised environments.

Threat actors using Phobos have also been observed utilizing built-in Windows API functions for stealing tokens, creating new processes, and bypassing access controls to escalate privileges, usually done by leveraging the SeDebugPrivilege process. The attackers try to authenticate using cached password hashes found on the infected systems until they can acquire domain administrator access. The group is infamous for using open-source tools like Sharphound and Bloodhound to enumerate the active directory. Mega.io and WinSCP are used for file exfiltration, and afterward, volume shadow copies are deleted to make recovery difficult.

Notably, ransomware continues to be attractive for financially motivated cybercriminals with ransom demands reaching $600,000 in just 2023, an alarming 20% increase from the previous year. The average ransom payment per victim stands at $568,705 as of the fourth quarter of 2023. On top of that, paying a ransom doesn’t even guarantee future protection as a victim’s system and data may not be fully recovered and there is always the chance that the threat actors would sell the stolen data on dark web forums.

Impact

• Sensitive Data Theft
• Financial Loss
• Privilege Escalation
• File Encryption

Indicators of Compromise

MD5

• 20d9fa474fa2628a6abe5485d35ee7e0
• 0900b61febed8da43708f6735ed6c11b
• fe2d1879880466e24e76d8d0963feb93
• a567048dd823ff2d395ddd95d1fa5302
• ecdf7acb35e4268bcafb03b8af12f659
• 69788b170956a5c58ebd77f7680fde7c
• 9376f223d363e28054676bb6ef2c3e79
• b119cdd3d02b60009b9ad39da799ed3b

SHA-256

• 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f
• 7451be9b65b956ee667081e1141531514b1ec348e7081b5a9cd1308a98eec8f0
• 9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c
• 482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52
• c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763
• f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed
• 2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66
• fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6

SHA-1

• a28af73bcfd4ebe2fe29242c07fec15e0578ec8a
• 90b2cebbeb377480e321d8f38ea6de2fa661e437
• 18ebb65842ccd3a1d1eeb597f2017267d47daaf9
• 7332956debc4fb14a54d69b0b858bd5b04becac1
• 93b0d892bd3fbb7d3d9efb69fffdc060159d4536
• 43683751209e85571072d953c0bdd44c883045ee
• aed68cfa282ec2b0f8a681153beaebe3a17d04ee
• b092a6bf7fb6755e095ed9f35147d1c6710cf2c4

Domain Name

• adstat477d.xyz
• demstat577d.xyz
• serverxlogs21.xyz

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Conduct a thorough assessment to determine the extent of the ransomware attack. Identify the systems, files, and data that have been compromised or encrypted by the ransomware.
• If reliable and unaffected backups are available, ensure they are secure and intact. Disconnect any compromised backup systems to prevent further encryption. Restore data and systems from clean backups once the affected systems have been cleaned and secured.
• Restrict user privileges and implement the principle of least privilege. Users should only have access to the systems and files necessary for their roles, reducing the potential impact of ransomware attacks.