Don’t Be Blinded by the Big Ransomware Gangs: Phobos Ransomware


It’s hard to ignore the headlines surrounding BlackCat/ALPHV these days, especially as the Change Healthcare ransomware attack continues to negatively impact healthcare operations across the U.S.

But in the midst of major cybercriminal gangs drawing major headlines (CNN, New York Times, Washington Post), smaller, and to a degree less sophisticated, cybercriminals are out there continuing to threaten businesses. Which is why you wouldn’t be the only one to have missed the joint advisory released by CISA, FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) highlighting the increasing threat from the Phobos ransomware group.

Who is Phobos, and why should you be aware of them? We’ll cover all that in this blog post and provide some tips to improve your security defenses against them.

Phobos: Background

Phobos is a malware strain derived from older ransomware families like Dharma and Crysis. It has actually been around since 2018. However, its recent resurgence comes from updated tactics that are taking advantage of expanded attack surfaces due to remote work, IoT, and more. Moreover, the joint advisory from CISA, FBI, and MS-ISAC suggests that there has been significant impact to local governments, which is the MS-ISAC’s primary stakeholder and user base.

Phobos: Delivering Ransomware-as-a-Service (RaaS)

According to the joint advisory, “Phobos is structured as a ransomware-as-a-service (RaaS) model.”

What exactly does this mean?

Ransomware-as-a-Service (RaaS) is a subscription-based model where cybercriminals rent access to ransomware infrastructure and tools created by others.

This model lowers the entry barrier for attackers who lack the expertise or resources to develop their own ransomware. Essentially, it democratizes the ability to launch ransomware attacks, making it easier for small-scale or less sophisticated cybercriminals to target businesses and individuals.

Unlike the larger, more infamous ransomware gangs, like BlackCat/ALPHV which often develops and executes their own sophisticated attacks, RaaS providers operate more like businesses in the shadows. They offer customer support, updates, and even tutorials to their subscribers.

This model significantly differs from the operations of bigger gangs in that it fosters an ecosystem where the RaaS developers focus on maintaining and updating the ransomware toolkit, while their affiliates are responsible for carrying out attacks and spreading the malware.

The profits from these attacks are then split between the RaaS developers and their affiliates. This distribution of responsibilities and profits delineates a fundamental difference from larger ransomware operations, which typically oversee all aspects of their attacks internally.

Phobos: Exploiting Security Exposures and Vulnerabilities for Initial Access

Because Phobos typically works with less sophisticated operators, the individuals who leverage Phobos will capitalize on the following exposures or vulnerabilities to gain access:

  • RDP Vulnerabilities: Poorly secured (or completely unsecured) Remote Desktop Protocol (RDP) configurations present a major attack vector.
  • Unpatched Systems: Outdated operating systems and software are easily exploitable entry points.

These security weaknesses can be found across millions of companies, especially smaller organizations that may not have the resources to update and monitor their configurations and defenses on a regular basis.

Phobos: Preferred Sector Targets

In general, Phobos targets a broader range of organizations, including smaller businesses and public institutions like hospitals and schools. Though there has been no Phobos victims publicly identified, the joint CISA and FBI advisory specifically call out the following sectors:

  • Education: With limited budgets and complex networks, educational institutions, especially elementary and secondary schools, often have less mature security programs and unmanaged systems.
  • Local Government: Specifically, municipal and county governments and emergency services – all of which are called out in the joint advisory. Like education organizations, tight budgets, limited staffing, and sometimes widely distributed or decentralized IT infrastructure expands the attack surface for these organizations while making it harder to secure them.
  • Public Healthcare: Unlike private healthcare entities in the U.S., public healthcare organizations are plagued with the same resource issues as education and local government. Moreover, the value of sensitive patient data and the disruption of critical services increase an attacker’s leverage to ensure a ransom payment is made.

They also note that other critical infrastructure sectors have also been targeted, stating that several millions of dollars have been paid to Phobos since its inception.

These target sectors align with initial access vectors that are less sophisticated or manual, such as social engineering. Phobos users can easily scan the internet for unsecured RDP and unpatched systems and deploy the ransomware without much effort. In comparison, leveraging highly manual or personalized tactics such as social engineering to gain access to multifactor-protected Administrator accounts takes much more time and a more sophisticated hacker profile.

Protect Yourself Against Phobos

Given the initial access vectors are typically unsecured RDP or vulnerabilities, organizations should assess their cyber hygiene and patch or remediate any security issues they find. RDP may be necessary, but improving the security controls around RDP is critical.

Additionally, the joint advisory emphasizes layered defenses and proactive security measures. We’d highly recommend implementing the following actions immediately:

  • Patch systems: Phobos operators are known to exploit endpoints using unpatched OS and software bugs. By staying on top of patches and software updates, you can make it more difficult for ransomware to enter through these common weak points.
  • Prioritize vulnerability remediation: Rapidly identify and remediate vulnerabilities, such as updating configurations to make them more secure and disabling unused ports or protocols, including ones that can be identified from the public-facing internet.
  • Harden RDP: Enforce multi-factor authentication and restrict access to only necessary employees.
  • Segment networks: Contain lateral movement by limiting the free flow of traffic among different systems.
  • Keep offline backups: Maintain isolated backups to facilitate a smoother recovery process.

Syxsense: Your Partner Against Evolving Threats

Can you be 100% certain that RDP is properly secured for your organization? Do you know if your OS and applications are up to date on their patching? Can you identify all the vulnerabilities on your assets?

If your answer is no to any of these questions, take a look at Syxsense and find out how we can help you better protect your organization against RaaS gangs like Phobos.

Syxsense provides a powerful platform for IT and security operations teams to pinpoint vulnerabilities and automate remediation. With Syxsense, you can stay ahead of Phobos and other ransomware actors seeking to exploit security weaknesses and other exposures. Schedule a demo to learn more.