Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure

Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure

March 4, 2024 at 12:36AM

U.S. cybersecurity agencies have issued warnings about Phobos ransomware targeting government and critical infrastructure entities. The ransomware, operated as a service model, has targeted various sectors and has earned millions in ransom. The attackers use various tactics and have been actively targeting entities since May 2019, posing a significant ongoing threat.

From the meeting notes, it is clear that U.S. cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities. These attacks are carried out through various tactics, such as phishing, exploiting exposed RDP services, and leveraging vulnerabilities.

The ransomware as a service (RaaS) model has targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure, resulting in several million dollars in ransom payments.

Multiple variants of Phobos ransomware have been identified, and the threat actors have been observed using various techniques to execute their attacks, including using built-in Windows API functions, remote access tools, and process injection techniques, as well as exfiltrating files via WinSCP and Mega.io.

Additionally, a coordinated ransomware attack impacting two separate companies simultaneously has been attributed to a ransomware actor called CACTUS. This attack is synchronized and multifaceted, targeting the virtualization infrastructure and leveraging a critical security flaw in an internet-exposed Ivanti Sentry server.

Ransomware continues to be a significant source of income for financially motivated threat actors, with initial ransomware demands and average ransom payments increasing. Moreover, paying a ransom does not ensure the safe recovery of data and systems, nor does it guarantee protection from future attacks.

Furthermore, data shared by Cybereason indicates that a high percentage of organizations were attacked again after paying the ransom, with some being asked to pay more the second time.

Overall, the meeting notes shed light on the evolving nature of ransomware attacks and the challenges organizations face in mitigating the risks associated with these threats.

Full Article