HC3 TLP White: Analyst Note Overview of Phobos Ransomware July 7, 2021

Executive Summary

Phobos ransomware first surfaced in late 2017 with many researchers quickly discovering links between Phobos and the Dharma and CrySiS ransomware variants. The Phobos ransomware operators are known to primarily target small- to medium-sized businesses (including healthcare entities such as hospitals) and typically demand lower ransom amounts compared to other ransomware families. Phobos proved to be one of the most prevalent ransomware families throughout 2019 and 2020. The capabilities of Phobos ransomware continue to evolve, with new variants making the ransomware more difficult to detect, identified as recently as April 2021. Basic mitigations include securing Remote Desktop Protocol (RDP), strong password and account lockout policies, enforcing multi-factor authentication, enforcing virtual private networks, disaster recovery strategies, and keeping software updated.

Report

At its inception in 2017, Phobos was being distributed by the Dharma ransomware operators. Phobos likely served as an insurance policy for malicious campaigns, providing affiliates with a second option for conducting attacks should Dharma end up being decrypted, according to ZDNet. In 2019, researchers at Malwarebytes concluded that there were significant similarities between Phobos and Dharma ransomware, suggesting the same developers were responsible for their creation. Phobos also contains elements of CrySiS ransomware (which is also related to Dharma) with anti-virus software often detecting Phobos as CrySiS. Phobos has served as the foundation for later variants, including Eking, discovered in October 2020, and Fair, detected in March 2021. In this most recent variant, developers added new fileless and evasive techniques.

Given the considerable effort by the ransomware developers to add new defense evasion capabilities and footprint reduction in the recent Fair variant of Phobos ransomware, researchers suggest that the operators behind Phobos are likely more focused on cyber espionage while attempting to increase their foothold in enterprise businesses. In one case, the threat actors maintained persistence in a company’s network for eight months while remaining undetected. One of the more significant recent updates to Phobos ransomware is a lower scope of encryption in which the Phobos developers removed the UAC requirement to maintain medium integrity. This means no encryption of privileged folders, which leads to a lower footprint. While there are fewer files to encrypt, Phobos’s developers did not want to compromise on files with open handles, which most likely will have a significant impact on the victims. Additionally, in December 2020, researchers discovered a variant of Agent Tesla (aka Negasteal) that used the paste site "hastebin[.]com" for the fileless delivery of the CrySiS ransomware. CrySiS and Dharma are both known to be related to Phobos ransomware. There is also a clear indication that Phobos ransomware targets servers versus workstations as some of the malware’s commands are only relevant to servers.

Like Dharma, Phobos ransom notes do not demand a specific amount, but rather instruct victims to email the Ransomware as a Service operators to discuss pricing. Sources differ on the average ransomware payment for Phobos, with Coveware placing it at approximately $38,100 as of May 2021, Unit 42 identifying it as $13,955 in 2020, and Advanced Intelligence claiming the average ransom is between $5,000 and $6,000 in Bitcoin. Advanced Intelligence also reports that the ransom amount is increased by $3,000 if the initial ransom demand is ignored. Additionally the average amount of time from reporting to full data recovery of a Phobos Ransomware incident was 16 days compared to an average of 19 days for all ransomware variants, according to Coveware. The recovery period is usually quicker since most victims have small networks with just a few endpoints.

Common infection vectors for Phobos ransomware include distribution from malicious attachments via phishing, open and poorly secured Remote Desktop Protocol (RDP) connections, brute force techniques to obtain RDP credentials, leveraging stolen or illegally purchased RDP credentials, common security misconfigurations, and via insecure connections on ports 338 and 3389, which are legitimate protocols used to access servers remotely.

Palo Alto Networks has observed Phobos ransomware attacks on victims in various industries including healthcare, with the threat actors mainly targeting small- to medium-sized businesses. In September 2019, an attack by the Dharma/CrySiS ransomware on a hospital in Texas resulted in the encryption of many of the hospital's records containing patient information and medical data. In June 2019, at least four hospitals in Romania were hit by ransomware in attacks the Romanian Intelligence Service said it suspected were launched by Chinese hackers. A further investigation carried out by specialists from CERT-RO, Cyberint, and Bitdefender indicated that the hospitals were attacked with Maoloa and Phobos ransomware. View the entire report below.