Phobos Ransomware Targets U.S. Critical Infrastructure: Government Agencies Issue Warning

March 4, 2024

U.S. cybersecurity and intelligence agencies have raised the alarm over Phobos ransomware attacks that are currently targeting entities such as municipal and county governments, emergency services, education, public healthcare, and critical infrastructure. These attacks have already resulted in several million U.S. dollars being ransomed. The warning was issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Since its emergence in May 2019, multiple variants of Phobos ransomware have been identified, including Eking, Eight, Elbie, Devos, Faust, and Backmydata. Cisco Talos revealed last year that the threat actors behind 8Base ransomware are using a Phobos ransomware variant to conduct their financially motivated attacks. There are indications that Phobos is likely managed by a central authority, which controls the ransomware's private decryption key.

The typical attack chain involving this ransomware strain starts with phishing to drop stealthy payloads like SmokeLoader. Alternatively, the threat actors breach vulnerable networks by searching for exposed RDP services and exploiting them through a brute-force attack. Once inside, the threat actors drop additional remote access tools, use process injection techniques to execute malicious code and evade detection, and modify the Windows Registry to maintain persistence within compromised environments.

The e-crime group known as CACTUS has been identified as a significant player in the ransomware landscape. Bitdefender detailed a meticulously coordinated ransomware attack by CACTUS that impacted two separate companies simultaneously. CACTUS has also targeted the virtualization infrastructure of companies, indicating a broadening focus beyond Windows hosts to strike Hyper-V and VMware ESXi hosts. It also exploited a critical security flaw (CVE-2023-38035, CVSS score: 9.8) in an internet-exposed Ivanti Sentry server less than 24 hours after its initial disclosure in August 2023.

Ransomware continues to be a lucrative venture for financially motivated threat actors. According to Arctic Wolf, initial ransomware demands reached a median of $600,000 in 2023, a 20% increase from the previous year. As of Q4 2023, the average ransom payment stands at $568,705 per victim. However, paying a ransom demand does not guarantee future protection. Data shared by cybersecurity company Cybereason shows that 78% of organizations were attacked again after paying the ransom, with 82% of them being targeted within a year. Of these victims, 63% were asked to pay more the second time.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.