Government and critical infrastructure entities are being targeted by Phobos ransomware attacks, as per warnings from U.S. cybersecurity and intelligence agencies. The threat actors are using various tactics to deploy the file-encrypting malware.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), Phobos ransomware actors have successfully attacked municipal and county governments, emergency services, education, public healthcare, and critical infrastructure, ransoming several million dollars.
The cyber threat, active since May 2019, has multiple variants including Eking, Eight, Elbie, Devos, Faust, and Backmydata. It was recently revealed that the 8Base ransomware group is using a Phobos ransomware variant for their attacks.
Phobos appears to be centrally managed, with a central authority controlling the ransomware’s private decryption key. The attack chains involve phishing, exploiting exposed RDP services, and deploying remote access tools along with process injection techniques and Windows Registry modifications for persistence.
Additionally, Phobos actors use various tactics like stealing tokens, bypassing access controls, escalating privileges, and exfiltrating files using open-source tools like Bloodhound and Sharphound. The ransomware group, known as CACTUS, has also targeted virtualization infrastructure and exploited critical security flaws like CVE-2023-38035 in internet-exposed Ivanti Sentry servers.
Ransomware attacks continue to be lucrative for threat actors, with rising ransom demands. However, paying the ransom does not guarantee data recovery or protection from future attacks. In fact, organizations that pay the ransom are often targeted again, with 78% of them being attacked within a year, highlighting the need for robust cybersecurity measures.
