Phobos (Ransomware) – Malware

Overview

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Phobos ransomware first surfaced in late 2017 with many researchers quickly discovering links between Phobos and the Dharma and CrySiS ransomware variants. The Phobos ransomware operators are known to primarily target small- to medium-sized businesses (including healthcare entities such as hospitals) and typically demand lower ransom amounts compared to other ransomware families.

Phobos proved to be one of the most prevalent ransomware families throughout 2019 and 2020. The capabilities of Phobos ransomware continue to evolve, with new variants making the ransomware more difficult to detect, identified as recently as April 2021. Basic mitigations include securing Remote Desktop Protocol (RDP), strong password and account lockout policies, enforcing multi-factor authentication, enforcing virtual private networks, disaster recovery strategies, and keeping software updated.

Targets

The ransomware targets organizations all over the world. The Phobos ransomware operators are known to primarily target small- to medium-sized businesses (including healthcare entities such as hospitals).

Tools/ Techniques Used

Phobos ransomware operates in conjunction with various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound.

Reconnaissance and Initial Access

Once they discover an exposed RDP service, the actors use open source brute force tools to gain access. If Phobos actors gain successful RDP authentication in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network.

Alternatively, threat actors send spoofed email attachments that are embedded with hidden payloads such as SmokeLoader, a backdoor trojan that is often used in conjunction with Phobos. After SmokeLoader’s hidden payload is downloaded onto the victim’s system, threat actors use the malware’s functionality to download the Phobos payload and exfiltrate data from the compromised system.

Execution and Privilege Escalation

Phobos actors run executables like 1saas.exe or cmd.exe to deploy additional Phobos payloads that have elevated privileges enabled. Additionally, Phobos actors can use the previous commands to perform various windows shell functions. The Windows command shell enables threat actors to control various aspects of a system, with multiple permission levels required for different subsets of commands.

Smokeloader Deployment

Phobos operations feature a standard three phase process to decrypt a payload that allows the threat actors to deploy additional destructive malware.

For the first phase, Smokeloader manipulates either VirtualAlloc or VirtualProtect API functions—which opens an entry point, enabling code to be injected into running processes and allowing the malware to evade network defense tools. In the second phase, a stealth process is used to obfuscate command and control (C2) activity by producing requests to legitimate websites.

Within this phase, the shellcode also sends a call from the entry point to a memory container and prepares a portable executable for deployment in the final stage.

Finally, once Smokeloader reaches its third stage, it unpacks a program-erase cycle from stored memory, which is then sent to be extracted from a SHA 256 hash as a payload. Following successful payload decryption, the threat actors can begin downloading additional malware.

Additional Phobos Defense Evasion Capabilities

Phobos ransomware actors have been observed bypassing organizational network defense protocols by modifying system firewall configurations using commands like netsh firewall set opmode mode=disable. Additionally, Phobos actors can evade detection by using the following tools: Universal Virus Sniffer, Process Hacker, and PowerTool.

Persistence and Privilege Escalation

According to open source reporting, Phobos ransomware uses commands such as Exec.exe or the bcdedit[.]exe control mechanism. Phobos has also been observed using Windows Startup folders and Run Registry Keys such as C:/Users\Admin\AppData\Local\directory to maintain persistence within compromised environments.

Additionally, Phobos actors have been observed using built-in Windows API functions to steal tokens, bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process. Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access.

Discovery and Credential Access

Phobos actors additionally use open source tools such as Bloodhound and Sharphound to enumerate the active directory. Mimikatz and NirSoft, as well as Remote Desktop Passview to export browser client credentials, have also been used.

Furthermore, Phobos ransomware is able to enumerate connected storage devices, running processes, and encrypt user files.

Exfiltration

Phobos actors have been observed using WinSCP and Mega.io for file exfiltration. They use WinSCP to connect directly from a victim network to an FTP server they control.

Phobos actors install Mega.io and use it to export victim files directly to a cloud storagenprovider. Data is typically archived as either a .rar or .zip file to be later exfiltrated. They target legal documentation, financial records, technical documents (including network architecture), and databases for commonly used password management software.

Impact 

After the exfiltration phase, Phobos actors then hunt for backups. They use vssadmin.exe and Windows Management Instrumentation command-line utility (WMIC) to discover and delete volume shadow copies in Windows environments. This prevents victims from recovering files after encryption has taken place.

Phobos.exe contains functionality to encrypt all connected logical drives on the target host. Each Phobos ransomware executable has unique build identifiers (IDs), affiliate IDs, as well as a unique ransom note which is embedded in the executable. After the ransom note has populated on infected workstations, Phobos ransomware continues to search for and encrypt additional files.

Most extortion  occurs via email; however, some affiliate groups have used voice calls to contact victims. In some cases, Phobos actors have used onion sites to list victims and host stolen victim data. Phobos actors use various instant messaging applications such as ICQ, Jabber, and QQ to communicate.  

Mitigations

The FBI, CISA, and MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture against actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Secure remote access software by applying recommendations from the joint Guide to Securing Remote Access Software.
• Implement application controls to manage and control execution of software, including allowlisting remote access programs.
  • Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlist solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
• Implement log collection best practices and use intrusion detection systems to defend against threat actors manipulating firewall configurations through early detection.
  • Implement EDR solutions to disrupt threat actor memory allocation techniques.
• Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example:
  • Audit the network for systems using RDP.
  • Close unused RDP ports.
  • Enforce account lockouts after a specified number of attempts.
  • Apply phishing-resistant multifactor authentication (MFA).
  • Log RDP login attempts.
• Disable command-line and scripting activities and permissions.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP).
• Reduce the threat of credential compromise via the following:
  • Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
  • Refrain from storing plaintext credentials in scripts.
• Implement time-based access for accounts at the admin level and higher.
• In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud).
• Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices.
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
  • Use longer passwords consisting of at least 15 characters and no more than 64 characters in length.
  • Store passwords in hashed format using industry-recognized password managers.
  • Add password user “salts” to shared login credentials.
  • Avoid reusing passwords.
  • Implement multiple failed login attempt account lockouts.
  • Disable password “hints.”
  • Refrain from requiring password changes more frequently than once per year.

Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher. 

• • Require administrator credentials to install software.

• Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems.
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Disable unused ports and protocols.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure

References

• The Art of Domain Deception: Bifrost’s New Tactic to Deceive Users
• Overview of Phobos Ransomware
• Phobos Ransomware Analysis, Simulation and Mitigation
• A deep dive into Phobos ransomware
• A deep dive into Phobos ransomware, recently deployed by 8Base group
• Another Phobos Ransomware Variant Launches Attack – FAUST
• What is Phobos Ransomware and how to remove it
• Unveiling the Deceptive Dance: Phobos Ransomware Masquerading As VX-Underground