Phobos Ransomware Targets U.S. Critical Infrastructure: Government Agencies Issue Warning

March 4, 2024

U.S. cybersecurity and intelligence agencies have raised the alarm over Phobos ransomware attacks that are currently targeting entities such as municipal and county governments, emergency services, education, public healthcare, and critical infrastructure. These attacks have already resulted in several million U.S. dollars being ransomed. The warning was issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Since its emergence in May 2019, multiple variants of Phobos ransomware have been identified, including Eking, Eight, Elbie, Devos, Faust, and Backmydata. Cisco Talos revealed last year that the threat actors behind 8Base ransomware are using a Phobos ransomware variant to conduct their financially motivated attacks. There are indications that Phobos is likely managed by a central authority, which controls the ransomware's private decryption key.

The typical attack chain involving this ransomware strain starts with phishing to drop stealthy payloads like SmokeLoader. Alternatively, the threat actors breach vulnerable networks by searching for exposed RDP services and exploiting them through a brute-force attack. Once inside, the threat actors drop additional remote access tools, use process injection techniques to execute malicious code and evade detection, and modify the Windows Registry to maintain persistence within compromised environments.

The e-crime group known as CACTUS has been identified as a significant player in the ransomware landscape. Bitdefender detailed a meticulously coordinated ransomware attack by CACTUS that impacted two separate companies simultaneously. CACTUS has also targeted the virtualization infrastructure of companies, indicating a broadening focus beyond Windows hosts to strike Hyper-V and VMware ESXi hosts. It also exploited a critical security flaw (CVE-2023-38035, CVSS score: 9.8) in an internet-exposed Ivanti Sentry server less than 24 hours after its initial disclosure in August 2023.

Ransomware continues to be a lucrative venture for financially motivated threat actors. According to Arctic Wolf, initial ransomware demands reached a median of $600,000 in 2023, a 20% increase from the previous year. As of Q4 2023, the average ransom payment stands at $568,705 per victim. However, paying a ransom demand does not guarantee future protection. Data shared by cybersecurity company Cybereason shows that 78% of organizations were attacked again after paying the ransom, with 82% of them being targeted within a year. Of these victims, 63% were asked to pay more the second time.

Related News

• Critical Ivanti Authentication Bypass Bug Now Actively Exploited, Warns CISA
• Ivanti's Connect Secure VPN and Policy Secure NAC Appliances Face Mass Exploitation
• Critical Remote Code Execution Vulnerability in Ivanti's Endpoint Management Software
• Critical Ivanti Sentry Bug Abused as Zero-Day: Exploit Released
• Ivanti Releases Urgent Patch for Zero-Day Vulnerability in Sentry Gateway

Latest News

• North Korean Lazarus Group Exploited Windows Kernel Bug as Zero-Day for Six Months
• U.S. Judge Orders NSO Group to Disclose Pegasus Spyware Source Code to Meta
• CISA Issues Alert on Microsoft Streaming Bug Exploited in Malware Attacks
• Five Eyes Intelligence Alliance Issues Warning on Ivanti Gateway Vulnerabilities
• CISA Warns of Persistent Threats on Hacked Ivanti VPN Appliances Even After Factory Resets