Phobos Ransomware operates on a ransomware-as-a-service (RaaS) model, and its impact has been notably felt across state, local, tribal, and territorial (SLTT) governments. Municipalities, emergency services, educational institutions, and critical infrastructure entities have fallen victim to Phobos, resulting in substantial ransom payouts.
Attack methodology
The attack methodology used by Phobos ransomware can be outlined as follows:
|
MITRE TACTICS |
STEPS INVOLVED |
| Reconnaissance and Initial Access |
|
| Execution and Privilege Escalation |
|
| Defense Evasion Capabilities |
|
| Persistence and Privilege Escalation |
|
| Discovery and Credential Access |
|
| Exfiltration |
|
| Impact |
|
Interim guidance
DARC team recommends following the guidance from the CISA in their latest CSA. This includes the following:
- Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example:
- Audit the network for systems using RDP.
- Close unused RDP ports.
- Enforce account lockouts after a specified number of attempts.
- Apply phishing-resistant multifactor authentication (MFA).
- Log RDP login attempts.
- Disable command-line and scripting activities and permissions
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts
- Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems.
- Segment networks to prevent the spread of ransomware.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
- Install, regularly update, and enable real time detection for antivirus software on all hosts.
- Disable unused ports and protocols
- Ensure all backup data is encrypted, immutable
DARC Managed Threat Hunting Queries
- Disable User Account Control (UAC)
stream=win-audit where action='POLICY_CHANGED' and object='%CurrentVersion\Policies\System%EnableLUA%0' | select User, SrcIP, System
- Invoking accessible feature (Sticky Keys backdoor setup)
stream=win-audit where action='POLICY_CHANGED' and (object='%Image File Execution Options%' and object='%sethc.exe%Magnify.exe%HelpPane.exe%utilman.exe') | select User, SrcIP, System
- RDP and disabling network-level authentication
stream=win-audit where action='POLICY_CHANGED' and (object='%Terminal Services%Terminal Server%RDP-Tcp') | select User, SrcIP, System
- Service Configuration Changes
stream=configuration where action='CONFIGURATION_CHANGED' and logevent like '%sc config%' and (logevent like '%start= autonet%' or logevent like '%start= disabled%')
Note: Look for batch modifications to service configurations that may indicate an attempt to weaken system defenses. Look for Event IDs - 7040 (A service's start type has been changed (can indicate changes made by 'sc config')
- File Sharing File Service
stream=configuration where action='CONFIGURATION_CHANGED' and logevent like '%dism /online /enable-feature%' and config like '%File-Services%' and config like '%/NoRestart%'
Note: Detect command-line arguments that enable file services without restarting the system, which could be used to maintain persistence or enable lateral movement. Check for similar commands within Event ID 4104 if you have script block logging enabled. Look for the enabling of file services that are not commonly used or required for a given system's role.
These queries are designed to detect changes to registry keys that are indicative of the activities commonly associated with Phobos ransomware. Please ensure that the field names and stream names match the actual data in your HYPERCLOUD environment.
Conclusion
The intricate workings of Phobos ransomware and its variant outlined in this brief emphasize the importance of vigilance and strategic defense measures. The DARC team recommends thorough implementation of CISA's mitigation strategies, including stringent RDP controls, multifactor authentication, network segmentation, and continuous monitoring.
For comprehensive guidance and detailed mitigation strategies, refer to the CISA advisory. The DARC team emphasizes the importance of not only understanding the threat but actively incorporating recommended defenses into cybersecurity practices.
References:
COMMENTS