Phobos Ransomware Targets US Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has issued an advisory warning about the known attack methodologies and indicators of compromise utilized by the Phobos ransomware group. This guidance aims to better equip government organizations to defend against ransomware threats.

Since 2019, Phobos, operating on a “Ransomware-as-a-Service” (RaaS) model, has targeted the information systems of municipal and county authorities, emergency services, educational institutions, medical facilities, and other critical infrastructures. The RaaS model enables individuals with minimal knowledge and experience to launch attacks using pre-made tools.

pay hackers ransom

“Structured as a ransomware-as-a-service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars,” the government said.

In May 2023 alone, experts attributed 67 incidents to Phobos, with most victims located in the USA and Brazil.

Although CISA and other federal agencies advise against paying ransoms, as it does not guarantee the restoration of data and services, Phobos has successfully extorted millions of dollars from victims through ransomware scams. According to a 2021 report from the U.S. Department of Health, the average ransom payment is approximately $38,100.

Phobos ransomware employs two primary methods for system penetration. The first is phishing, deceiving users to steal their credentials.

The second method involves direct remote access through Microsoft’s Remote Desktop Protocol (RDP) for remote PC management.

Rose notes that phishing campaigns are the most common and effective cyberattack method, not due to simplicity of execution, but because of the human factor. “Phishing is a form of social engineering that plays on human weaknesses. We are curious and easily deceived, which is why magicians can still easily fool the audience,” he explains.

According to him, phishing emails are becoming more convincing with the help of generative AI. “AI can create very persuasive phishing emails. Hackers are unlikely to abandon phishing — it’s too effective. And now, tools are emerging that make this method even more dangerous.”

However, Rose believes that generative AI can also be beneficial for protection: “AI could detect threat indicators that are invisible to humans and prevent attacks.”

Once inside the system, Phobos injects its code into crucial system components, like the Windows startup folder, and creates new registry keys. It then locates and encrypts local user files, shared network drives, and other data. Victims are then coerced into paying a ransom for decryption.

Since Phobos decryptors do not exist, except those controlled by the ransomware creators themselves, CISA recommends organizations adopt standard cybersecurity measures. These include securing the Remote Desktop Protocol (RDP), using robust complex passwords, locking accounts after several unsuccessful login attempts, implementing multi-factor authentication, utilizing VPNs, and regularly updating software.