By NewsBlogger US cybersecurity and intelligence agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), have issued a warning about the rise in Phobos ransomware attacks, primarily targeting government entities and critical infrastructure sectors since May 2019.
At a glance
- U.S. cybersecurity and intelligence agencies, including CISA, FBI, and MS-ISAC, have issued a warning about the increasing Phobos ransomware attacks, primarily targeting government entities and critical infrastructure sectors.
- Phobos ransomware operates under a ransomware-as-a-service (RaaS) model and has been active since May 2019, with multiple variants identified.
- The primary attack chains usually involve phishing or exploiting exposed Remote Desktop Protocol (RDP) services, followed by dropping additional remote access tools, executing malicious code, and modifying the Windows Registry to maintain persistence.
- Bitdefender detailed a coordinated ransomware attack impacting two separate companies simultaneously, attributed to a ransomware actor called CACTUS, indicating a shift in focus beyond Windows hosts to strike Hyper-V and VMware ESXi hosts.
- Ransomware demands reached a median of $600,000 in 2023, a 20% increase from the previous year, but paying a ransom does not guarantee future protection or safe recovery of data and systems, with 78% of organizations attacked again after paying the ransom.
The details
U.S. Cybersecurity and Intelligence Agencies Issue Warning
U.S. cybersecurity and intelligence agencies have issued a warning about the increasing Phobos ransomware attacks.
The agencies include the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Phobos ransomware primarily targets government entities and critical infrastructure sectors. The ransomware has been operating under a ransomware-as-a-service (RaaS) model. The sectors under attack include municipal and county governments, emergency services, education, public healthcare, and other crucial infrastructure.
Phobos ransomware has been active since May 2019. Multiple variants, such as Eking, Eight, Elbie, Devos, Faust, and Backmydata, have been identified. The ransomware seems to be managed by a central authority controlling the private decryption key. The primary attack chains usually involve phishing as the initial access vector. Alternatively, the attackers breach vulnerable networks by exploiting exposed Remote Desktop Protocol (RDP) services.
After breaching a network, the attackers drop additional remote access tools. They execute malicious code using process injection techniques. They also modify the Windows Registry to maintain persistence. Phobos actors have been observed misusing Windows API functions to steal tokens, bypass access controls, and escalate privileges. These actors also use open-source tools like Bloodhound and Sharphound to enumerate the active directory. They exfiltrate files via WinSCP and Mega.io.
Details of a Coordinated Ransomware Attack
Bitdefender has detailed a coordinated ransomware attack impacting two separate companies simultaneously. This attack was attributed to a ransomware actor called CACTUS. CACTUS infiltrated the network of one organization, implanting various types of remote access tools. They created tunnels across different servers. The attack targeted the company’s virtualization infrastructure. This indicates a shift in focus beyond Windows hosts to strike Hyper-V and VMware ESXi hosts. The attack exploited a critical security flaw in an internet-exposed Ivanti Sentry server less than 24 hours after its initial disclosure.
Ransomware Demands and Repercussions
Ransomware demands reached a median of $600,000 in 2023. This marks a 20% increase from the previous year. The average ransom payment per victim stood at $568,705. However, paying a ransom does not guarantee future protection or safe recovery of data and systems.
Data from cybersecurity company Cybereason shows that 78% of organizations were attacked again after paying the ransom. 82% of these organizations were attacked within a year. Disturbingly, 63% of these victims were asked to pay more the second time.
