FBI: U.S. Critical Infrastructure Targeted by Phobos Ransomware


March 4, 2024

World map

The FBI, CISA and MS-ISAC issued a joint advisory warning that Phobos ransomware operators are attacking government and critical infrastructure targets including state, county and municipal services.

“Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars," the alert states (PDF).

The advisory contains details about the Phobos attack progressions, including TTPs for initial infection vectors, credential theft, privilege escalation, lateral movement, data exfiltration and the destruction of network backups.

“Phobos actors have been observed using WinSCP and Mega.io for file exfiltration... After the exfiltration phase, Phobos actors then hunt for backups. They use vssadmin.exe and Windows Management Instrumentation command-line utility (WMIC) to discover and delete volume shadow copies in Windows environments. This prevents victims from recovering files after encryption has taken place.”

Takeaway: Data exfiltration and the threat of exposure are now a central aspect of nearly every ransomware operator’s playbook and significantly increase the chances for the extortion efforts to be successful.  

The Double Extortion tactic begins when they exfiltrate sensitive information from the target before launching the encryption routine. The threat actor then makes the additional demand that victims pay up to prevent the attackers from publishing their data online.  

We see this most clearly in the evolution of the extortion tactics employed by the ransomware actors. Originally, the malicious payloads would encrypt files and demand payment for decryption keys.  

Security teams found success in either restoring from backups or accepting loss of data as an acceptable consequence. Of course, even if systems are restored without having paid the ransomware operators for a decryption key, there is no guarantee that payment will protect the stolen data from being exploited.

This scenario is further complicated by a common tactic where the attackers use legitimate network tools like the Vssadmin Windows process to delete shadow copy backup files. Many vendors tout a “rollback” feature that they claim will easily reverse encryption on an infected machine.

But as we see in the Phobos ransomware TTPs provided in the alert, like most other RaaS groups, it is almost standard procedure to wipe backups during the attack. While “automatic rollbacks” from VSS are a nice feature to call out in marketing materials, it gives customers a false sense of security.

Some vendors also offer features meant to protect shadow copies from being wiped, but even when they are available, restoration of every infected device from shadow copies can be an arduous task.

The ransomware payload does not enter the picture until late in the attack so key to not finding yourself in this situation is of course to detect the attack earlier, in the sequence, long before the ransomware payload is delivered.

In the Phobos example, optimally detecting the brute-forcing of RDP credentials and attempts to exfiltrate sensitive data would be key intercept points in the attacks.  

Quickly mitigating an infection is critical to resilience, but detecting the precursors to data exfiltration and other early-stage TTPs will prevent disruption to operations and eliminate the the threat from double extortion schemes.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.