Cert2Connect

StopRansomware Phobos Ransomware CISA AA24-060A

The FBI CISA and MS-ISAC have jointly released a Cybersecurity Advisory to share information on the Phobos ransomware variants observed as recently as February 2024. Phobos operates as a ransomware-as-a-service (RaaS) model and is likely connected to multiple variants like Elking Eight Devos Backmydata and Faust ransomware. It utilizes various open source tools such as Smokeloader Cobalt Strike and Bloodhound. Phobos actors gain initial access through phishing campaigns or by exploiting vulnerable Remote Desktop Protocol ports. They deploy hidden payloads modify firewall configurations and establish persistence using Windows Startup folders and Run Registry Keys. Additionally they employ tools like Mimikatz and NirSoft for credential enumeration and WinSCP and Mega.io for file exfiltration. Phobos encrypts user files deletes volume shadow copies and encrypts all connected logical drives. Each Phobos executable has unique identifiers and a ransom note embedded within.
Overzicht

WILT U WETEN HOE DIT RISICO
UITGEBANNEN KAN WORDEN?

Wij helpen je graag. Indien gewenst geven we graag een presentatie of demo van onze oplossingsaanpak. Je vindt ons ook regelmatig op beurzen en events. Volg de evenementenpagina op deze site of meld je aan via de contactpagina voor onze nieuwsbrief.

Maak een afspraak