US government warns organizations of Phobos ransomware attacks targeting critical infrastructure.

Critical Infrastructure Organizations Warned of Phobos Ransomware Attacks

US government agencies on Thursday warned organizations of ongoing Phobos ransomware attacks targeting government, education, emergency services, healthcare, and other critical infrastructure sectors.

Active since May 2019, Phobos operates under the ransomware-as-a-service (RaaS) business model and has successfully extorted several millions of dollars from victim organizations, CISA, the FBI, and MS-ISAC say in a joint advisory.

Based on similar tactics, techniques, and procedures (TTPs), Phobos is linked to ransomware variants such as Backmydata, Devos, Eight, Elking, and Faust, and has been deployed in conjunction with tools popular among cybercriminals, including Bloodhound, Cobalt Strike, and SmokeLoader.

Phobos attacks typically start with phishing emails dropping IP scanning tools aimed at identifying vulnerable Remote Desktop Protocol (RDP) ports, which are then brute-forced for access and company profiling.

“Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network,” the joint advisory reads.

The attackers were also seen using spoofed email attachments to deliver malicious payloads such as the SmokeLoader backdoor, which is then used to deploy Phobos and exfiltrate data from the victim’s network.

Cybercriminals were also seen running legitimate executables to deploy additional payloads with elevated privileges, modifying system firewall configurations to bypass network defenses, and using Windows Startup folders and Run Registry Keys to maintain persistence.

#cyberattack #cyberwar #criticalinfrastructure #nerccip #ingaa #ransomware #phobos