On February 29, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) which disseminates known Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with the Phobos Ransomware variants observed as recently as February 2024.

This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.

Phobos is a Ransomware family operated under the Ransomware-as-a-Service (RaaS) business model that has been active since at least May 2019 and, since its emergence, has undergone only minimal developments despite its popularity among criminal groups.

Phobos is an evolution of the Dharma/Crysis ransomware and, according to open-source reporting, is likely connected to numerous variants (including Elking, Eight, Devos, Backmydata, and Faust ransomware) due to similar TTPs observed in related intrusions.

The ransomware operates in conjunction with various open-source and commodity tools such as SmokeLoader, Cobalt Strike, and Bloodhound. These tools are all widely accessible and easy to use in various operating environments, making it (and associated variants) a popular choice for many adversaries.

Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.

AttackIQ has released a new assessment template which includes the various Tactics, Techniques and Procedures (TTPs) exhibited by Phobos ransomware in recent activities with the aim of helping customers validate their security controls and their ability to defend against this sophisticated and recent threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against the behaviors exhibited by a threat that continues to conduct industry-wide ransomware activities.
• Assess their security posture against activities focused on both exfiltration and encryption of sensitive information.
• Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.

[CISA AA24-060A] #StopRansomware: Phobos Ransomware

This assessment template emulates the different Tactics, Techniques, and Procedures (TTPs) exhibited by Phobos ransomware in recent activities.

1.Execution

Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.

Hijack Execution Flow: DLL Side-Loading (T1574.002): Bundles a DLL with a Windows executable that is susceptible to DLL Side-Loading to execute actor code.

System Binary Proxy Execution: Mshta (T1218.010): Mshta.exe is a native Windows utility that threat actors can abuse to download remote payloads that include VBScript code.

2. Persistence

Techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario sets the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry keys that Windows uses to identify what applications should be run at system startup.

Logon Autostart Execution: Startup Folder (T1547.001): The Startup folder is a directory associated with the Windows Start Menu that can be used to launch a process at Windows logon. This scenario creates a LNK file in this directory that would execute at the next Logon for all users.

3. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Impair Defenses: Disable or Modify System Firewall (T1562.004): This scenario temporarily disables the Windows Firewall using the netsh advfirewall utility. By disabling the Firewall, the adversary can allow previously blocked incoming or outgoing network connections that could allow for remote access.

Bypass User Account Control (T1548.002): The malware attempts to disable UAC by setting a registry key.

Indicator Removal: Clear Windows Event Logs (T1070.001): The scenario will use the wevtutil.exe binary to clear event logs from the system.

4. Privilege Escalation

Consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives.

Access Token Manipulation (T1134): This scenario lists active access tokens that could be impersonated by another process. This method is commonly used to escalate privileges.

Event Triggered Execution: Image File Execution Options Injection (T1546.012): This scenario sets Image File Execution Options to the registry of a specific process. This is a well-known technique used by threat actors to, among others, achieve persistence or escalate privileges in compromised systems.

5. Credential Access

Techniques used by adversaries to harvest credentials available on the compromised system.

OS Credential Dumping (T1003): This scenario uses the Mimikatz credential access tool to dump passwords and hashes for Windows accounts.

OS Credential Dumping: LSASS Memory (T1003.001): LSASS memory is dumped to disk by creating a minidump of the lsass.exe process. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors. Mimikatz is then used to dump the credentials from that minidump file.

6. Command and Control

Techniques that adversaries may use to communicate with systems under their control within a victim network.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

7. Discovery

Techniques that adversaries use to discover information related to the compromised environment.

System Information Discovery (T1082): This scenario will call RtlGetVersion(Ntdll), and NetWkstaGetInfo(Netapi32) Windows API calls to enumerate system information.

Process Discovery (T1057): The Windows API is used to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.

File and Directory Discovery (T1083): This scenario uses the native dir command to find files of interest and output to a temporary file.

8. Collection

Techniques used by adversaries to collect the discovered information regarding the compromised system.

Archive Collected Data: Archive via Utility (T1560.001): This scenario compresses all the specified input files with the given compression level to a .7z archive by executing the 7zip binary file.

9. Exfiltration

Consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it.

Exfiltration Over Alternative Protocol (T1048): This scenario will start an FTP connection against an AttackIQ server to emulate the exfiltration of sensitive information from the compromised system.

10. Impact

Consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.

Inhibit System Recovery (T1490): Runs vssadmin.exe to delete a recent Volume Shadow Copy created by the attack graph.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by Phobos ransomware.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.

 2. Hijack Execution Flow: DLL Side-Loading (T1574.002):

Malware will commonly use side-loading to load malicious code into legitimate running processes to attempt to blend in with legitimate applications to remain hidden and appear normal to the compromised system.

2a. Detection

Searching for common processes that are performing uncommon actions can help identify when a process has been compromised. Searching for newly constructed processes or monitoring for DLL/PE file events, specifically for the creation and loading of DLLs into running processes can help identify when a system process has been compromised.

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

3. OS Credential Dumping: LSASS Memory (T1003.001):

Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process.

3a. Detection

Search for executions of comsvcs.exe that attempt to access the LSASS process.

Process Name == (comsvcs)
Command Line CONTAINS (‘lsass’)

3b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

4. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

4a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

4b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the recent activities carried out by Phobos ransomware affiliates. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a widely distributed and dangerous threat.

AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.