Free Trial
|
Login
Free Trial
Login
Platform

Platform

I want to

report
WHITEPAPER Picus Red Report 2024
white paper
DATASHEET Security Validation Platform
Use Cases

Use Cases

Frameworks

Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
webinar
ON-DEMAND Top Ten ATT&CK Techniques: The Rise of ‘Hunter-Killer’ Malware
Research

RESEARCH

LEARNING

report (1)
REPORT 2024 Gartner® Peer Insights™ Voice of the Customer for Breach and Attack Simulation (BAS) Tools
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources

RESOURCES

LEARNING

Group
WHITEPAPER Double Your Threat Blocking in 90 Days
webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Company

COMPANY

PARTNERS

webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

Phobos Ransomware Analysis, Simulation and Mitigation- CISA Alert AA24-060A

Huseyin Can YUCEEL | March 01, 2024

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On February 29, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Phobos ransomware [1]. Phobos ransomware entered the ransomware scene in May 2019 and has been an active Ransomware-as-a-Service group targeting government, healthcare, education, and critical infrastructure organizations. 

In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by Phobos ransomware and how organizations can defend themselves against Phobos ransomware attacks.

SIMULATE THIS THREAT FOR FREE - NO SETUP

Phobos Ransomware

Phobos ransomware started its operations as a variant of Crysis/Dharma ransomware in May 2019.  Phobos ransomware operates as the Ransomware-as-a-Service business model and has influenced many other ransomware variants such as Backmydata, Devos, Eking, Eight, 8Base, and Faust ransomware. These ransomware variants follow similar TTPs observed in Phobos attacks with small differences in file extensions for encrypted files. 

As an initial access vector, Phobos threat actors often use phishing and brute-force attacks against exposed RDP services. After establishing an initial foothold in the target system, adversaries install remote access tools for persistence. Phobos and affiliated threat actors often use open-source tools like Bloodhound, Cobalt Strike, and SmokeLoader, as they are readily available and easy to use in different operating systems. These tools allow attackers to run reconnaissance in the compromised network, download additional malware, and establish covert communication with the adversary's C2 server. Lastly, Phobos operators exfiltrate their victims' sensitive files, delete backups, and encrypt all connected logical drives on the infected host. 

Phobos Ransomware Analysis and MITRE ATT&CK TTPs

Initial Access

T1078 Valid Accounts & T1133 External Remote Services

Phobos threat actors scan for exposed RDP services and run brute-force attacks to acquire valid accounts. After gaining initial access, exploited RDP services also serve as a persistent connection to the target system.

T1566.001 Phishing: Spearphishing Attachment

Phobos operators use spearphishing emails to gain initial access to target systems. Adversaries craft benign-looking emails with malicious attachments to trick unsuspecting users into infecting their systems.

Execution

T1047 Windows Management Instrumentation 

Phobos ransomware uses the following commands to delete volume shadow copies using Windows Management Instrumentation (WMI).

wmic shadowcopy delete

T1059.003 Windows Command Shell 

Adversaries use the following shell commands to impair defenses and inhibit system recovery.

//T1562 Impair Defenses

netsh advfirewall set currentprofile state off

netsh firewall set opmode mode=disable


//T1490 Inhibit System Recovery

vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet

T1106 Native API

In earlier Phobos samples, adversaries were observed using the following Windows Crypto API functions for key management and file encryption.

CryptDestroyKey

CryptEncrypt

CryptImportKey

CryptGenRandom

CryptSetKeyParam

CryptAcquireContextW

Persistence

T1547.001 Registry Run Keys / Startup Folder

Phobos ransomware places itself in the startup folder and registry keys for persistence.

C:/Users\Admin\AppData\Local\directory
%AppData%\Local\{malware} 

%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\{malware} %AppData%\Roaming\Microsoft\Start Menu\Programs\Startup\{malware}

Privilege Escalation

T1055 Process Injection

Phobos threat actors use an open-source tool named Smokeloader for process injection. Smokeloader injects malicious code into legitimate processes like explorer.exe and allows adversaries to bypass defensive security controls.

T1134 Access Token Manipulation

Phobos ransomware uses a known vulnerability in the .NET Profiler DLL loading process to bypass UAC, allowing adversaries to execute commands with elevated privileges.

Defense Evasion

T1218.005 System Binary Proxy Execution: Mshta 

Adversaries use a Windows native binary called mshta.exe to display the ransom note to victims.

mshta C:\%USERPROFILE%\Desktop\info.hta
mshta C:\%PUBLIC%\Desktop\info.hta
mshta C:\info.hta

T1562 Impair Defenses 

Phobos threat actors disable the system firewall using the commands below. Additionally, they use tools like PowerTool, Process Hacker, and Universal Virus Sniffer to impair and evade defenses.

netsh advfirewall set currentprofile state off

netsh firewall set opmode mode=disable

Credential Access

T1003 OS Credential Dumping & T1555 Credentials from Password Stores

Adversaries use Mimikatz dump credentials from LSASS memory. They also use NirSoft and Passview to export passwords from web browsers.

T1110 Brute Force

Phobos threat actors use brute-force attacks to gain access to valid accounts for exposed RDP services.

Discovery

T1087.002 Domain Account

Phobos operators use Bloodhound and Sharphound to enumerate the victim's Active Directory.

Collection

T1560 Archive Collected Data

Prior to exfiltration for double extortion, Phobos threat actors archive the victims' sensitive files either as .rar or .zip.

Command and Control (C2)

T1001 Data Obfuscation & T1105 Ingress Tool Transfer

Phobos threat actors use Smokeloader to obfuscate C2 communication by producing requests to legitimate websites and downloading additional malware to the compromised system.

T1071.002 File Transfer Protocols 

Adversaries use WinSCP for data exfiltration to an adversary-controlled FTP server.

T1219 Remote Access Software 

Phobos group uses AnyDesk for remote and persistent access to compromised hosts.

Exfiltration

T1048 Exfiltration Over Alternative Protocol & T1567.002 Exfiltration to Cloud Storage 

Adversaries use WinSCP and mega.io to exfiltrate the victims' sensitive data to an FTP server or a cloud storage provider, respectively.

Impact

T1486 Data Encrypted for Impact 

Phobos ransomware uses a hybrid cryptosystem to encrypt files. It uses AES-256 for symmetric encryption and RSA-1024 with a hardcoded key for asymmetric encryption.

T1490 Inhibit System Recovery 

Adversaries use the following commands to delete volume shadow copies and prevent their victims from recovering their encrypted files.

vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet

How Picus Helps Simulate Phobos Ransomware Attacks?

We also strongly suggest simulating Phobos ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as LockBit, ALPHV, and CL0P, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Phobos ransomware

Threat ID

Threat Name

Attack Module

90644

PhobosRansomware Download Threat

Network Infiltration

20874

Phobos Ransomware Email Threat

Email Infiltration (Phishing)

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Phobos ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Phobos ransomware:

Security Control

Signature ID

Signature Name

Check Point NGFW

09DBD3225

Ransomware.Win32.Phobos.TC.b384dDjK

Check Point NGFW

092E24180

Ransomware.Win32.Phobos.TC.8811RCRG

Check Point NGFW

092A9DE2C

Ransomware.Win32.Phobos.TC.bc7aSUsc

Check Point NGFW

0E380BC15

Ransomware.Win32.Phobos.TC.35bfCltB

Check Point NGFW

0DE6590EC

Ransomware.Win32.Phobos.TC.9e73OHi

Cisco FirePower

  

Win.Dropper.Phobos::in03.talos

Cisco FirePower

  

W32.102844E3E9.in12.Talos

Cisco FirePower

  

W32.Auto:fd7e8b.in03.Talos

Cisco FirePower

  

Ransom:GenericRXJO.26l4.in14.Talos

Cisco FirePower

  

W32.Auto:1c29b2bd22.in03.Talos

Forcepoint NGFW

  

File_Malware-Blocked

Fortigate AV

10084673

W32/FilecoderPhobos.C!tr.ransom

Trellix

0x4840c900

MALWARE: Malicious File Detected by GTI

Palo Alto

278539035

trojan/Win32 EXE.blocker.abhn

Palo Alto

615552159

Ransom/Win32.phobos.qy

Palo Alto

614519325

Ransom/Win32.phobos.qs

Palo Alto

613915407

Ransom/Win32.phobos.qr

Palo Alto

459798392

Ransom/Win32.phobos.rd


Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Complete Security Validation Platform.

References

[1] "#StopRansomware: Phobos Ransomware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a. [Accessed: Mar. 01, 2024]