Rising Phobos Ransomware Activity in High-Impact Sectors
Threat Group: Phobos Ransomware Operators
Threat Type: Ransomware-as-a-Service (RaaS)
Exploited Vulnerabilities: Exposed Remote Desktop Protocol (RDP) Ports, Weak Passwords, Phishing Attacks
Malware Used: Phobos Ransomware
Overview:
Phobos ransomware remains a significant and evolving threat, particularly targeting critical sectors such as healthcare, government, and education. Since its emergence in 2019, Phobos has continued to cause widespread disruption by encrypting data and demanding ransoms. This report outlines the latest Indicators of Compromise (IoCs), tactics, and recommended mitigation strategies associated with Phobos ransomware.
Recent Activity:
Phobos ransomware has been actively targeting organisations as recently as September 2024. Notable incidents include attacks on healthcare systems in Europe and North America, leading to significant disruptions in patient care and data breaches. The ransomware has also been observed in attacks on local government networks, where it has encrypted critical data and demanded substantial ransoms. Additionally, educational institutions have reported incidents where Phobos has compromised networks, leading to the exfiltration of sensitive student and faculty data.
These incidents underscore the persistent and adaptable nature of Phobos ransomware, which continues to be a major threat across various sectors. The ongoing activity indicates that threat actors using Phobos are actively refining their tactics to bypass security measures and maximise the impact of their attacks.
Phobos Ransomware Indicators of Compromise (IoCs)
Below is the comprehensive list of Phobos IoCs, categorised by Domains, Email Addresses, IP Addresses, and File Hashes.
Domains:
adstat477d[.]xyzdemstat577d[.]xyzserverxlogs21[.]xyzmslogger78[.]xyzsyscheck-log[.]xyz
Email Addresses:
| Column 1 | Column 2 | Column 3 |
|---|---|---|
AlbetPattisson1981@protonmail[.]com | henryk@onionmail[.]org | atomicday@tuta[.]io |
info@fobos[.]one | axdus@tuta[.]io | it.issues.solving@outlook[.]com |
barenuckles@tutanota[.]com | JohnWilliams1887@gmx[.]com | Bernard.bunyan@aol[.]com |
jonson_eight@gmx[.]us | bill.g@gmx[.]com | joshuabernandead@gmx[.]com |
bill.g@msgsafe[.]io | LettoIntago@onionmail[.]com | bill.g@onionmail[.]org |
Luiza.li@tutanota[.]com | bill.gTeam@gmx[.]com | MatheusCosta0194@gmx[.]com |
blair_lockyer@aol[.]com | mccreight.ellery@tutanota[.]com | CarlJohnson1948@gmx[.]com |
megaport@tuta[.]io | cashonlycash@gmx[.]com | miadowson@tuta[.]io |
chocolate_muffin@tutanota[.]com | MichaelWayne1973@tutanota[.]com | claredrinkall@aol[.]com |
normanbaker1929@gmx[.]com | clausmeyer070@cock[.]li | nud_satanakia@keemail[.]me |
colexpro@keemail[.]me | please@countermail[.]com | cox.barthel@aol[.]com |
precorpman@onionmail[.]org | crashonlycash@gmx[.]com | recovery2021@inboxhub[.]net |
everymoment@tuta[.]io | recovery2021@onionmail[.]org | expertbox@tuta[.]io |
SamuelWhite1821@tutanota[.]com | fastway@tuta[.]io | SaraConor@gmx[.]com |
fquatela@techie[.]com | secdatltd@gmx[.]com | fredmoneco@tutanota[.]com |
skymix@tuta[.]io | getdata@gmx[.]com | sory@countermail[.]com |
greenbookBTC@gmx[.]com | spacegroup@tuta[.]io | greenbookBTC@protonmail[.]com |
stafordpalin@protonmail[.]com | helperfiles@gmx[.]com | starcomp@keemail[.]me |
helpermail@onionmail[.]org | xdone@tutamail[.]com | helpfiles@onionmail[.]org |
xgen@tuta[.]io | helpfiles102030@inboxhub[.]net | xspacegroup@protonmail[.]com |
helpforyou@gmx[.]com | zgen@tuta[.]io | helpforyou@onionmail[.]org |
zodiacx@tuta[.]io |
IP Addresses:
194.165.16[.]4(October 2023)45.9.74[.]14(December 2023)147.78.47[.]224(December 2023)185.202.0[.]111(September and December 2023)
File Hashes:
- SHA-256 Hashes:
58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c476332a674b59c3f9a45efde48368b4de7e0e76c19e06b2f18afb6638d1a080b2eb32704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2
Tactics, Techniques, and Procedures (TTPs)
Phobos typically gains initial access via exposed RDP ports or phishing emails, often followed by brute-force attacks to crack weak passwords. The ransomware uses various methods to maintain persistence and evade detection, including registry modifications and disabling security tools.
Monitoring and Response Recommendations
It is recommended to monitor the email addresses associated with Phobos ransomware rather than blocking them outright. Monitoring these addresses is critical as it allows compromised environments to identify ransomware demands, which are often communicated via these email addresses. Blocking these emails might prevent the organisation from realising they have been compromised, potentially delaying response efforts.
Mitigation Strategies
- Secure RDP: Disable or restrict access to RDP ports. Use VPNs and strong authentication methods.
- Patch Systems: Regularly update software to fix vulnerabilities.
- Endpoint Security: Deploy EDR tools to detect and mitigate threats.
- Network Segmentation: Limit the lateral movement of threats through network segmentation.
- Backup and Recovery: Maintain and regularly test offline backups.
Conclusion
Phobos ransomware continues to be a formidable threat, especially to critical sectors such as healthcare, government, and education. The ransomware's persistent activity throughout 2024 underscores its adaptability and the ongoing risk it poses to organisations worldwide. The detailed Indicators of Compromise (IoCs) provided in this report should be integrated into security systems to enhance detection and response capabilities. By implementing the recommended mitigation strategies, organisations can better protect themselves against this evolving threat. Regular monitoring and proactive security measures are essential to minimise the impact of Phobos ransomware and ensure robust defence against future attacks.
Sources
- CISA - #StopRansomware: Phobos Ransomware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a - Avast - What is Phobos Ransomware and How to Remove It
https://www.avast.com/en-au/business/resources/what-is-phobos-ransomware#pc - Fortinet - Another Phobos Ransomware Variant Launches Attack – FAUST
https://www.fortinet.com/blog/threat-research/phobos-ransomware-variant-launches-attack-faust - Any Run - Malware Analysis Phobos.exe Malicious Activity
https://any.run/report/43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc/766b879b-5e3c-4137-914a-d8f87ce8c3d8