Phobos Ransomware Analysis, Simulation and Mitigation- CISA Alert AA24-060A

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


On February 29, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Phobos ransomware [1]. Phobos ransomware entered the ransomware scene in May 2019 and has been an active Ransomware-as-a-Service group targeting government, healthcare, education, and critical infrastructure organizations. 

In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by Phobos ransomware and how organizations can defend themselves against Phobos ransomware attacks.

Phobos Ransomware

Phobos ransomware started its operations as a variant of Crysis/Dharma ransomware in May 2019.  Phobos ransomware operates as the Ransomware-as-a-Service business model and has influenced many other ransomware variants such as Backmydata, Devos, Eking, Eight, 8Base, and Faust ransomware. These ransomware variants follow similar TTPs observed in Phobos attacks with small differences in file extensions for encrypted files. 

As an initial access vector, Phobos threat actors often use phishing and brute-force attacks against exposed RDP services. After establishing an initial foothold in the target system, adversaries install remote access tools for persistence. Phobos and affiliated threat actors often use open-source tools like Bloodhound, Cobalt Strike, and SmokeLoader, as they are readily available and easy to use in different operating systems. These tools allow attackers to run reconnaissance in the compromised network, download additional malware, and establish covert communication with the adversary's C2 server. Lastly, Phobos operators exfiltrate their victims' sensitive files, delete backups, and encrypt all connected logical drives on the infected host. 

Phobos Ransomware Analysis and MITRE ATT&CK TTPs

Initial Access

T1078 Valid Accounts & T1133 External Remote Services

Phobos threat actors scan for exposed RDP services and run brute-force attacks to acquire valid accounts. After gaining initial access, exploited RDP services also serve as a persistent connection to the target system.

T1566.001 Phishing: Spearphishing Attachment

Phobos operators use spearphishing emails to gain initial access to target systems. Adversaries craft benign-looking emails with malicious attachments to trick unsuspecting users into infecting their systems.


T1047 Windows Management Instrumentation 

Phobos ransomware uses the following commands to delete volume shadow copies using Windows Management Instrumentation (WMI).

wmic shadowcopy delete

T1059.003 Windows Command Shell 

Adversaries use the following shell commands to impair defenses and inhibit system recovery.

//T1562 Impair Defenses

netsh advfirewall set currentprofile state off

netsh firewall set opmode mode=disable

//T1490 Inhibit System Recovery

vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet

T1106 Native API

In earlier Phobos samples, adversaries were observed using the following Windows Crypto API functions for key management and file encryption.








T1547.001 Registry Run Keys / Startup Folder

Phobos ransomware places itself in the startup folder and registry keys for persistence.


%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\{malware} %AppData%\Roaming\Microsoft\Start Menu\Programs\Startup\{malware}

Privilege Escalation

T1055 Process Injection

Phobos threat actors use an open-source tool named Smokeloader for process injection. Smokeloader injects malicious code into legitimate processes like explorer.exe and allows adversaries to bypass defensive security controls.

T1134 Access Token Manipulation

Phobos ransomware uses a known vulnerability in the .NET Profiler DLL loading process to bypass UAC, allowing adversaries to execute commands with elevated privileges.

Defense Evasion

T1218.005 System Binary Proxy Execution: Mshta 

Adversaries use a Windows native binary called mshta.exe to display the ransom note to victims.

mshta C:\%USERPROFILE%\Desktop\info.hta
mshta C:\%PUBLIC%\Desktop\info.hta
mshta C:\info.hta

T1562 Impair Defenses 

Phobos threat actors disable the system firewall using the commands below. Additionally, they use tools like PowerTool, Process Hacker, and Universal Virus Sniffer to impair and evade defenses.

netsh advfirewall set currentprofile state off

netsh firewall set opmode mode=disable

Credential Access

T1003 OS Credential Dumping & T1555 Credentials from Password Stores

Adversaries use Mimikatz dump credentials from LSASS memory. They also use NirSoft and Passview to export passwords from web browsers.

T1110 Brute Force

Phobos threat actors use brute-force attacks to gain access to valid accounts for exposed RDP services.


T1087.002 Domain Account

Phobos operators use Bloodhound and Sharphound to enumerate the victim's Active Directory.


T1560 Archive Collected Data

Prior to exfiltration for double extortion, Phobos threat actors archive the victims' sensitive files either as .rar or .zip.

Command and Control (C2)

T1001 Data Obfuscation & T1105 Ingress Tool Transfer

Phobos threat actors use Smokeloader to obfuscate C2 communication by producing requests to legitimate websites and downloading additional malware to the compromised system.

T1071.002 File Transfer Protocols 

Adversaries use WinSCP for data exfiltration to an adversary-controlled FTP server.

T1219 Remote Access Software 

Phobos group uses AnyDesk for remote and persistent access to compromised hosts.


T1048 Exfiltration Over Alternative Protocol & T1567.002 Exfiltration to Cloud Storage 

Adversaries use WinSCP and to exfiltrate the victims' sensitive data to an FTP server or a cloud storage provider, respectively.


T1486 Data Encrypted for Impact 

Phobos ransomware uses a hybrid cryptosystem to encrypt files. It uses AES-256 for symmetric encryption and RSA-1024 with a hardcoded key for asymmetric encryption.

T1490 Inhibit System Recovery 

Adversaries use the following commands to delete volume shadow copies and prevent their victims from recovering their encrypted files.

vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet

How Picus Helps Simulate Phobos Ransomware Attacks?

We also strongly suggest simulating Phobos ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as LockBit, ALPHV, and CL0P, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Phobos ransomware

Threat ID

Threat Name

Attack Module


PhobosRansomware Download Threat

Network Infiltration


Phobos Ransomware Email Threat

Email Infiltration (Phishing)

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Phobos ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Phobos ransomware:

Security Control

Signature ID

Signature Name

Check Point NGFW



Check Point NGFW



Check Point NGFW



Check Point NGFW



Check Point NGFW



Cisco FirePower



Cisco FirePower



Cisco FirePower



Cisco FirePower



Cisco FirePower



Forcepoint NGFW



Fortigate AV





MALWARE: Malicious File Detected by GTI

Palo Alto


trojan/Win32 EXE.blocker.abhn

Palo Alto



Palo Alto



Palo Alto



Palo Alto



Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Complete Security Validation Platform.


[1] "#StopRansomware: Phobos Ransomware," Cybersecurity and Infrastructure Security Agency CISA. Available: [Accessed: Mar. 01, 2024]