Industrial Control Systems Cyber Emergency Response TeamAA24-060A#StopRansomware: Phobos Ransomware
AI Score
Confidence
Low
Actions to take today to mitigate Phobos ransomware activity:
- Secure RDP ports to prevent threat actors from abusing and leveraging RDP tools.
- Prioritize remediating known exploited vulnerabilities.
- Implement EDR solutions to disrupt threat actor memory allocation techniques.
References
attack.mitre.org/versions/v14/techniques/T1047/
attack.mitre.org/versions/v14/techniques/T1082/
any.run/malware-trends/smoke
any.run/malware-trends/smoke
attack.mitre.org/versions/v14/matrices/enterprise/
attack.mitre.org/versions/v14/software/S0002/
attack.mitre.org/versions/v14/software/S0521/
attack.mitre.org/versions/v14/tactics/TA0004/
attack.mitre.org/versions/v14/tactics/TA0004/
attack.mitre.org/versions/v14/tactics/TA0010/
attack.mitre.org/versions/v14/tactics/TA0010/
attack.mitre.org/versions/v14/techniques/T1001/003/
attack.mitre.org/versions/v14/techniques/T1001/003/
attack.mitre.org/versions/v14/techniques/T1003/001/
attack.mitre.org/versions/v14/techniques/T1003/001/
attack.mitre.org/versions/v14/techniques/T1003/005/
attack.mitre.org/versions/v14/techniques/T1003/005/
attack.mitre.org/versions/v14/techniques/T1027/002/
attack.mitre.org/versions/v14/techniques/T1027/002/
attack.mitre.org/versions/v14/techniques/T1027/009/
attack.mitre.org/versions/v14/techniques/T1047/
attack.mitre.org/versions/v14/techniques/T1048/
attack.mitre.org/versions/v14/techniques/T1048/
attack.mitre.org/versions/v14/techniques/T1055/002/
attack.mitre.org/versions/v14/techniques/T1055/002/
attack.mitre.org/versions/v14/techniques/T1055/004/
attack.mitre.org/versions/v14/techniques/T1055/004/
attack.mitre.org/versions/v14/techniques/T1057/
attack.mitre.org/versions/v14/techniques/T1057/
attack.mitre.org/versions/v14/techniques/T1059/003/
attack.mitre.org/versions/v14/techniques/T1059/003/
attack.mitre.org/versions/v14/techniques/T1071/002/
attack.mitre.org/versions/v14/techniques/T1071/002/
attack.mitre.org/versions/v14/techniques/T1078/
attack.mitre.org/versions/v14/techniques/T1078/
attack.mitre.org/versions/v14/techniques/T1082/
attack.mitre.org/versions/v14/techniques/T1083/
attack.mitre.org/versions/v14/techniques/T1083/
attack.mitre.org/versions/v14/techniques/T1087/002/
attack.mitre.org/versions/v14/techniques/T1087/002/
attack.mitre.org/versions/v14/techniques/T1105/
attack.mitre.org/versions/v14/techniques/T1105/
attack.mitre.org/versions/v14/techniques/T1105/
attack.mitre.org/versions/v14/techniques/T1106/
attack.mitre.org/versions/v14/techniques/T1106/
attack.mitre.org/versions/v14/techniques/T1110/
attack.mitre.org/versions/v14/techniques/T1110/
attack.mitre.org/versions/v14/techniques/T1133/
attack.mitre.org/versions/v14/techniques/T1133/
attack.mitre.org/versions/v14/techniques/T1134/001/
attack.mitre.org/versions/v14/techniques/T1134/001/
attack.mitre.org/versions/v14/techniques/T1134/002/
attack.mitre.org/versions/v14/techniques/T1134/002/
attack.mitre.org/versions/v14/techniques/T1140/
attack.mitre.org/versions/v14/techniques/T1140/
attack.mitre.org/versions/v14/techniques/T1204/002/
attack.mitre.org/versions/v14/techniques/T1204/002/
attack.mitre.org/versions/v14/techniques/T1218/005/
attack.mitre.org/versions/v14/techniques/T1218/005/
attack.mitre.org/versions/v14/techniques/T1219/
attack.mitre.org/versions/v14/techniques/T1219/
attack.mitre.org/versions/v14/techniques/T1486/
attack.mitre.org/versions/v14/techniques/T1486/
attack.mitre.org/versions/v14/techniques/T1490/
attack.mitre.org/versions/v14/techniques/T1490/
attack.mitre.org/versions/v14/techniques/T1490/
attack.mitre.org/versions/v14/techniques/T1490/
attack.mitre.org/versions/v14/techniques/T1490/
attack.mitre.org/versions/v14/techniques/T1547/001/
attack.mitre.org/versions/v14/techniques/T1547/001/
attack.mitre.org/versions/v14/techniques/T1547/001/
attack.mitre.org/versions/v14/techniques/T1555/
attack.mitre.org/versions/v14/techniques/T1555/003/
attack.mitre.org/versions/v14/techniques/T1555/003/
attack.mitre.org/versions/v14/techniques/T1555/005/
attack.mitre.org/versions/v14/techniques/T1555/005/
attack.mitre.org/versions/v14/techniques/T1560/
attack.mitre.org/versions/v14/techniques/T1560/
attack.mitre.org/versions/v14/techniques/T1562/
attack.mitre.org/versions/v14/techniques/T1562/
attack.mitre.org/versions/v14/techniques/T1562/004/
attack.mitre.org/versions/v14/techniques/T1562/004/
attack.mitre.org/versions/v14/techniques/T1562/004/
attack.mitre.org/versions/v14/techniques/T1566/001/
attack.mitre.org/versions/v14/techniques/T1566/001/
attack.mitre.org/versions/v14/techniques/T1567/002/
attack.mitre.org/versions/v14/techniques/T1567/002/
attack.mitre.org/versions/v14/techniques/T1585/
attack.mitre.org/versions/v14/techniques/T1585/
attack.mitre.org/versions/v14/techniques/T1588/002/
attack.mitre.org/versions/v14/techniques/T1588/002/
attack.mitre.org/versions/v14/techniques/T1593/
attack.mitre.org/versions/v14/techniques/T1593/
attack.mitre.org/versions/v14/techniques/T1595/001/
attack.mitre.org/versions/v14/techniques/T1595/001/
attack.mitre.org/versions/v14/techniques/T1598/
attack.mitre.org/versions/v14/techniques/T1598/
attack.mitre.org/versions/v14/techniques/T1657/
attack.mitre.org/versions/v14/techniques/T1657/
blog.talosintelligence.com/deep-dive-into-phobos-ransomware/
blog.talosintelligence.com/deep-dive-into-phobos-ransomware/
blog.talosintelligence.com/deep-dive-into-phobos-ransomware/
blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html
blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
github.com/cisagov/cset/releases/tag/v10.3.0.0
github.com/cisagov/Decider/
github.com/cisagov/Decider/
github.com/Cisco-Talos/IOCs/blob/main/2023/11/deep-dive-into-phobos-ransomware.txt
github.com/Cisco-Talos/IOCs/blob/main/2023/11/deep-dive-into-phobos-ransomware.txt
malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
pages.nist.gov/800-63-3/
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
therecord.media/romanian-hospitals-offline-after-ransomware-attack
therecord.media/romanian-hospitals-offline-after-ransomware-attack
twitter.com/CISAgov
twitter.com/intent/tweet?text=%23StopRansomware%3A%20Phobos%20Ransomware+https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/cross-sector-cybersecurity-performance-goals#ChangingDefaultPasswords2A
www.cisa.gov/cross-sector-cybersecurity-performance-goals#DeploySecurityTXTFiles4C
www.cisa.gov/cross-sector-cybersecurity-performance-goals#DetectingRelevantThreatsandTTPs3A
www.cisa.gov/cross-sector-cybersecurity-performance-goals#DetectionofUnsuccessfulAutomatedLoginAttempts2G
www.cisa.gov/cross-sector-cybersecurity-performance-goals#DisableMacrosbyDefault2N
www.cisa.gov/cross-sector-cybersecurity-performance-goals#EmailSecurity2M
www.cisa.gov/cross-sector-cybersecurity-performance-goals#LogCollection2T
www.cisa.gov/cross-sector-cybersecurity-performance-goals#MinimumPasswordStrength2B
www.cisa.gov/cross-sector-cybersecurity-performance-goals#NetworkSegmentation2F
www.cisa.gov/cross-sector-cybersecurity-performance-goals#NoExploitableServicesontheInternet2W
www.cisa.gov/cross-sector-cybersecurity-performance-goals#PhishingResistantMultifactorAuthenticationMFA2H
www.cisa.gov/cross-sector-cybersecurity-performance-goals#ProhibitConnectionofUnauthorizedDevices2V
www.cisa.gov/cross-sector-cybersecurity-performance-goals#SecureSensitiveData2L
www.cisa.gov/cross-sector-cybersecurity-performance-goals#SeparatingUserandPrivilegedAccounts2E
www.cisa.gov/cross-sector-cybersecurity-performance-goals#SeparatingUserandPrivilegedAccounts2E
www.cisa.gov/cross-sector-cybersecurity-performance-goals#StrongandAgileEncryption2K
www.cisa.gov/cross-sector-cybersecurity-performance-goals#SystemBackups2R
www.cisa.gov/cross-sector-cybersecurity-performance-goals#SystemBackups2R
www.cisa.gov/cross-sector-cybersecurity-performance-goals#UniqueCredentials2C
www.cisa.gov/cyber-hygiene-services
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
www.cisa.gov/resources-tools/resources/guide-securing-remote-access-software
www.cisa.gov/resources-tools/resources/secure-by-design
www.cisa.gov/resources-tools/resources/stopransomware-guide
www.cisa.gov/securebydesign
www.cisa.gov/securebydesign
www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf
www.cisa.gov/stopransomware
www.cisecurity.org/insights/spotlight/edr-spotlight-module
www.cisecurity.org/insights/white-papers/ransomware-defense-in-depth
www.comparitech.com/net-admin/phobos-ransomware/
www.comparitech.com/net-admin/phobos-ransomware/
www.comparitech.com/net-admin/phobos-ransomware/
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a&title=%23StopRansomware%3A%20Phobos%20Ransomware
www.fbi.gov/contact-us/field-offices/
www.ic3.gov/
www.infosecurity-magazine.com/news/phobos-ransomware-new-faust-variant/
www.infosecurity-magazine.com/news/phobos-ransomware-new-faust-variant/
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
www.malwarebytes.com/blog/news/2019/07/a-deep-dive-into-phobos-ransomware
www.malwarebytes.com/blog/news/2019/07/a-deep-dive-into-phobos-ransomware
www.oig.dhs.gov/
www.privacyaffairs.com/moral-8-base-ransomware-targets-2-new-victims/
www.privacyaffairs.com/moral-8-base-ransomware-targets-2-new-victims/
www.stopransomware.gov/
www.truesec.com/hub/blog/a-case-of-the-faust-ransomware
www.truesec.com/hub/blog/a-case-of-the-faust-ransomware
www.usa.gov/
www.virustotal.com/gui/domain/demstat577d.xyz
www.virustotal.com/gui/domain/demstat577d.xyz
www.virustotal.com/gui/file/0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f
www.virustotal.com/gui/file/0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f
www.virustotal.com/gui/file/7451be9b65b956ee667081e1141531514b1ec348e7081b5a9cd1308a98eec8f0
www.virustotal.com/gui/file/7451be9b65b956ee667081e1141531514b1ec348e7081b5a9cd1308a98eec8f0
www.virustotal.com/gui/file/f1425cff3d28afe5245459afa6d7985081bc6a62f86dce64c63daeb2136d7d2c
www.virustotal.com/gui/file/f1425cff3d28afe5245459afa6d7985081bc6a62f86dce64c63daeb2136d7d2c
www.virustotal.com/gui/ip-address/185.202.0.111/relations%20Win32.exe%20file%20cobaltstrike_shellcode.exe%20last%20scanned%20September%202023
www.virustotal.com/gui/ip-address/185.202.0.111/relations%20Win32.exe%20file%20cobaltstrike_shellcode.exe%20last%20scanned%20September%202023
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=%23StopRansomware%3A%20Phobos%20Ransomware&body=www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
AI Score
Confidence
Low