Rising Phobos Ransomware Activity in High-Impact Sectors

Rising Phobos Ransomware Activity in High-Impact Sectors

Threat Group: Phobos Ransomware Operators
Threat Type: Ransomware-as-a-Service (RaaS)
Exploited Vulnerabilities: Exposed Remote Desktop Protocol (RDP) Ports, Weak Passwords, Phishing Attacks
Malware Used: Phobos Ransomware

Overview:

Phobos ransomware remains a significant and evolving threat, particularly targeting critical sectors such as healthcare, government, and education. Since its emergence in 2019, Phobos has continued to cause widespread disruption by encrypting data and demanding ransoms. This report outlines the latest Indicators of Compromise (IoCs), tactics, and recommended mitigation strategies associated with Phobos ransomware.

Recent Activity:

Phobos ransomware has been actively targeting organisations as recently as September 2024. Notable incidents include attacks on healthcare systems in Europe and North America, leading to significant disruptions in patient care and data breaches. The ransomware has also been observed in attacks on local government networks, where it has encrypted critical data and demanded substantial ransoms. Additionally, educational institutions have reported incidents where Phobos has compromised networks, leading to the exfiltration of sensitive student and faculty data.

These incidents underscore the persistent and adaptable nature of Phobos ransomware, which continues to be a major threat across various sectors. The ongoing activity indicates that threat actors using Phobos are actively refining their tactics to bypass security measures and maximise the impact of their attacks.

Phobos Ransomware Indicators of Compromise (IoCs)

Below is the comprehensive list of Phobos IoCs, categorised by Domains, Email Addresses, IP Addresses, and File Hashes.

Domains:

  • adstat477d[.]xyz
  • demstat577d[.]xyz
  • serverxlogs21[.]xyz
  • mslogger78[.]xyz
  • syscheck-log[.]xyz

Email Addresses:

Column 1Column 2Column 3
AlbetPattisson1981@protonmail[.]comhenryk@onionmail[.]orgatomicday@tuta[.]io
info@fobos[.]oneaxdus@tuta[.]ioit.issues.solving@outlook[.]com
barenuckles@tutanota[.]comJohnWilliams1887@gmx[.]comBernard.bunyan@aol[.]com
jonson_eight@gmx[.]usbill.g@gmx[.]comjoshuabernandead@gmx[.]com
bill.g@msgsafe[.]ioLettoIntago@onionmail[.]combill.g@onionmail[.]org
Luiza.li@tutanota[.]combill.gTeam@gmx[.]comMatheusCosta0194@gmx[.]com
blair_lockyer@aol[.]commccreight.ellery@tutanota[.]comCarlJohnson1948@gmx[.]com
megaport@tuta[.]iocashonlycash@gmx[.]commiadowson@tuta[.]io
chocolate_muffin@tutanota[.]comMichaelWayne1973@tutanota[.]comclaredrinkall@aol[.]com
normanbaker1929@gmx[.]comclausmeyer070@cock[.]linud_satanakia@keemail[.]me
colexpro@keemail[.]meplease@countermail[.]comcox.barthel@aol[.]com
precorpman@onionmail[.]orgcrashonlycash@gmx[.]comrecovery2021@inboxhub[.]net
everymoment@tuta[.]iorecovery2021@onionmail[.]orgexpertbox@tuta[.]io
SamuelWhite1821@tutanota[.]comfastway@tuta[.]ioSaraConor@gmx[.]com
fquatela@techie[.]comsecdatltd@gmx[.]comfredmoneco@tutanota[.]com
skymix@tuta[.]iogetdata@gmx[.]comsory@countermail[.]com
greenbookBTC@gmx[.]comspacegroup@tuta[.]iogreenbookBTC@protonmail[.]com
stafordpalin@protonmail[.]comhelperfiles@gmx[.]comstarcomp@keemail[.]me
helpermail@onionmail[.]orgxdone@tutamail[.]comhelpfiles@onionmail[.]org
xgen@tuta[.]iohelpfiles102030@inboxhub[.]netxspacegroup@protonmail[.]com
helpforyou@gmx[.]comzgen@tuta[.]iohelpforyou@onionmail[.]org
zodiacx@tuta[.]io

IP Addresses:

  • 194.165.16[.]4 (October 2023)
  • 45.9.74[.]14 (December 2023)
  • 147.78.47[.]224 (December 2023)
  • 185.202.0[.]111 (September and December 2023)

File Hashes:

  • SHA-256 Hashes:
    • 58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6
    • f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed
    • 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
    • 9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c
    • 482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52
    • c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763
    • 32a674b59c3f9a45efde48368b4de7e0e76c19e06b2f18afb6638d1a080b2eb3
    • 2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66
    • fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6
    • a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2

Tactics, Techniques, and Procedures (TTPs)

Phobos typically gains initial access via exposed RDP ports or phishing emails, often followed by brute-force attacks to crack weak passwords. The ransomware uses various methods to maintain persistence and evade detection, including registry modifications and disabling security tools.

Monitoring and Response Recommendations

It is recommended to monitor the email addresses associated with Phobos ransomware rather than blocking them outright. Monitoring these addresses is critical as it allows compromised environments to identify ransomware demands, which are often communicated via these email addresses. Blocking these emails might prevent the organisation from realising they have been compromised, potentially delaying response efforts.

Mitigation Strategies

  • Secure RDP: Disable or restrict access to RDP ports. Use VPNs and strong authentication methods.
  • Patch Systems: Regularly update software to fix vulnerabilities.
  • Endpoint Security: Deploy EDR tools to detect and mitigate threats.
  • Network Segmentation: Limit the lateral movement of threats through network segmentation.
  • Backup and Recovery: Maintain and regularly test offline backups.

Conclusion

Phobos ransomware continues to be a formidable threat, especially to critical sectors such as healthcare, government, and education. The ransomware's persistent activity throughout 2024 underscores its adaptability and the ongoing risk it poses to organisations worldwide. The detailed Indicators of Compromise (IoCs) provided in this report should be integrated into security systems to enhance detection and response capabilities. By implementing the recommended mitigation strategies, organisations can better protect themselves against this evolving threat. Regular monitoring and proactive security measures are essential to minimise the impact of Phobos ransomware and ensure robust defence against future attacks.


Sources