U.S. cybersecurity and intelligence agencies have issued a warning about Phobos ransomware attacks targeting government and critical infrastructure entities. Structured as a ransomware-as-a-service model, Phobos has successfully targeted municipal and county governments, emergency services, education, healthcare, and critical infrastructure, resulting in ransom payments totalling millions of dollars.
Multiple variants of Phobos ransomware, including Eking, Eight, Elbie, Devos, Faust, and Backmydata, have been identified since its inception in May 2019. The ransomware's operators likely manage a central authority controlling its private decryption key.
Phobos attacks typically begin with phishing or exploiting vulnerable Remote Desktop Protocol (RDP) services, leading to the deployment of stealthy payloads like SmokeLoader. The attackers then use various techniques to evade detection and maintain persistence within compromised environments, including process injection, Windows Registry modifications, and privilege escalation.
Phobos actors have also been observed using Windows API functions to steal tokens and bypass access controls, while open-source tools like Bloodhound and Sharphound are used for active directory enumeration. The ransomware group also employs file exfiltration tools and deletes volume shadow copies to hinder recovery efforts.
In a separate incident, ransomware actor CACTUS orchestrated a synchronized and multifaceted attack on two separate companies, targeting their virtualization infrastructure and exploiting a critical security flaw in an internet-exposed Ivanti Sentry server.
Ransomware remains a lucrative business for threat actors, with initial ransom demands reaching a median of $600,000 in 2023. However, paying the ransom does not guarantee data recovery or protection from future attacks, as evidenced by a high percentage of victims being targeted again after paying the ransom.
