Cybersecurity Snapshots #36 - Phobos Ransomware

Cybersecurity Snapshots #36 -

Phobos Ransomware

Recently security researchers at Deep Instinct found that Phobos was one of the most common ransomware families during Q3 2022. Phobos ransomware first appeared at the end of 2017. It is an older ransomware variant. The adversaries behind Phobos usually target small and medium size companies across many different sectors. The average Phobos ransom payment as of July 2022 is $36,932, up from $13,955 in 2020. The total number of companies that have fallen victim to Phobos ransomware since its inception is unknown.

Researchers from Coveware and Palo Alto Networks Unit 42 have noted that Phobos shares several similarities with Dharma ransomware. Security researchers at Coveware noted that like Dharma, Phobos exploits open or poorly secured Remote Desktop Protocol (RDP) ports to sneak inside networks and execute a ransomware attack, encrypting files and demanding a ransom be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension. Aside from the "Phobos" logos, the ransom note is the same as the note used by Dharma, with the same typeface and text used throughout. The researchers noted that Phobos shares much of the same code as Dharma, with researchers describing it as a "largely cut and paste variant of Dharma." Security researchers at Coveware stated that Phobos also contains elements of CrySiS ransomware, also related to Dharma, with anti-virus software detecting Phobos as CrySiS. The researchers noted that the ransomware's file markers differentiate it from Dharma. However, the attack methods and threat remain the same. The researchers at Coveware indicated that while the ransomware type may be different, the group distributing Phobos, the exploit methods, ransom notes, and communications remain nearly identical to Dharma. Researchers believe that Phobos is being distributed by the gang behind Dharma and likely serves as an insurance policy for malicious campaigns, providing attackers with a second option for conducting attacks should Dharma end up decrypted or prevented from successfully extorting ransoms from victims. Phobos has served as the foundation for later variants, including Eking, discovered in October 2020, and Fair detected in March 2021.

Researchers noted that developers added new fileless and evasive techniques in this most recent variant. Given the considerable effort by the ransomware developers to add new defense evasion capabilities and footprint reduction in the recent Fair variant of Phobos ransomware, it suggests that the operators behind Phobos are likely more focused on cyber espionage while attempting to increase their foothold in enterprise businesses. The researchers stated that in one case, the threat actors maintained persistence in a company's network for eight months while remaining undetected. One of the more significant recent updates to Phobos ransomware is a lower scope of encryption in which the Phobos developers removed the User Account Control (UAC) requirement to maintain medium integrity. This means no encryption of privileged folders, which leads to a lower footprint. The researchers noted that while there are fewer files to encrypt, Phobos's developers did not want to compromise files with open handles, which most likely would significantly impact the victims. The researchers noted that there is also a clear indication that Phobos ransomware targets servers versus workstations, as some of the malware's commands are only relevant to servers.

The U.S. Department of Health and Human Services (HHS) in an advisory noted that common infection vectors for Phobos ransomware include distribution from malicious attachments via phishing, open and poorly secured RDP connections, brute force techniques to obtain RDP credentials, leveraging stolen or illegally purchased RDP credentials, common security misconfigurations, and insecure connections on ports 338 and 3389, which are legitimate protocols used to access servers remotely.

Security researchers at Malwarebytes suggested mitigations organizations could implement to help protect themselves from Phobos ransomware. The researchers say organizations should set their RDP server, built in the Windows OS, to deny public IPs access to TCP ports 3389 and 338. TCP ports 3389 and 338, the default ports of Windows Remote Desktop, enable remote connections to other computers. The researchers noted that if an organization has no need for RDP, it is better to disable the service altogether. The researchers said that a critical system or systems with sensitive information should not have RDP enabled. The researchers also suggest blocking TCP port 445, the default port. They further propose that organizations should only allow RDP access to IP addresses that are under the organization's control. Organizations should enable the logging of RDP access attempts and review them regularly to detect instances of potential intrusion. Organizations should enforce strong passwords and account lockout policies for Active Directory domains and local Windows accounts. Organizations should also have employees use virtual private networks (VPNs) when working remotely, use multi-factor authentication when possible, and ensure that software, including OS and anti-malware, is up to date.