Phobos!
On February 29, 2024 CISA released a joint advisory with the FBI and MS-ISAC regarding Phobos ransomware.
Phobos is a ransomware-as-a-service (RaaS) model. The actors behind the ransomware have targeted several industries including healthcare, education, and critical infrastructures. This has led to several million dollars in successful payouts. Phobos was first seen around May 2019.
The threat group “8Base” has release several variants that were installed with Smokeloader, a trojan backdoor used to drop or download other items. In 8Base’s campaigns however, it has the ransomware component encrypted as part of the payload. It also includes an embedded configuration that’s been part of the variants since about 2019.
Smokeloader decrypts the malware in three stages. In stage one, several API calls are made in an attempt to obfuscate the execution flow. In stages two and three the shellcode is decrypted and executed.
The Phobos ransomware contains most of the features needed by the threat group to operate. These are just a few:
– File encryption capabilities
– network share scanning
– Startup and registry key persistence
– firewall and recovery disabling
There are things we can do to protect ourselves, and it all starts with awareness! Don’t go phishing….