Rising Phobos Ransomware Activity in High-Impact Sectors
Threat Group: Phobos Ransomware Operators
Threat Type: Ransomware-as-a-Service (RaaS)
Exploited Vulnerabilities: Exposed Remote Desktop Protocol (RDP) Ports, Weak Passwords, Phishing Attacks
Malware Used: Phobos Ransomware
Overview:
Phobos ransomware remains a significant and evolving threat, particularly targeting critical sectors such as healthcare, government, and education. Since its emergence in 2019, Phobos has continued to cause widespread disruption by encrypting data and demanding ransoms. This report outlines the latest Indicators of Compromise (IoCs), tactics, and recommended mitigation strategies associated with Phobos ransomware.
Recent Activity:
Phobos ransomware has been actively targeting organisations as recently as September 2024. Notable incidents include attacks on healthcare systems in Europe and North America, leading to significant disruptions in patient care and data breaches. The ransomware has also been observed in attacks on local government networks, where it has encrypted critical data and demanded substantial ransoms. Additionally, educational institutions have reported incidents where Phobos has compromised networks, leading to the exfiltration of sensitive student and faculty data.
These incidents underscore the persistent and adaptable nature of Phobos ransomware, which continues to be a major threat across various sectors. The ongoing activity indicates that threat actors using Phobos are actively refining their tactics to bypass security measures and maximise the impact of their attacks.
Phobos Ransomware Indicators of Compromise (IoCs)
Below is the comprehensive list of Phobos IoCs, categorised by Domains, Email Addresses, IP Addresses, and File Hashes.
Domains:
adstat477d[.]xyz
demstat577d[.]xyz
serverxlogs21[.]xyz
mslogger78[.]xyz
syscheck-log[.]xyz
Email Addresses:
Column 1 | Column 2 | Column 3 |
---|---|---|
AlbetPattisson1981@protonmail[.]com | henryk@onionmail[.]org | atomicday@tuta[.]io |
info@fobos[.]one | axdus@tuta[.]io | it.issues.solving@outlook[.]com |
barenuckles@tutanota[.]com | JohnWilliams1887@gmx[.]com | Bernard.bunyan@aol[.]com |
jonson_eight@gmx[.]us | bill.g@gmx[.]com | joshuabernandead@gmx[.]com |
bill.g@msgsafe[.]io | LettoIntago@onionmail[.]com | bill.g@onionmail[.]org |
Luiza.li@tutanota[.]com | bill.gTeam@gmx[.]com | MatheusCosta0194@gmx[.]com |
blair_lockyer@aol[.]com | mccreight.ellery@tutanota[.]com | CarlJohnson1948@gmx[.]com |
megaport@tuta[.]io | cashonlycash@gmx[.]com | miadowson@tuta[.]io |
chocolate_muffin@tutanota[.]com | MichaelWayne1973@tutanota[.]com | claredrinkall@aol[.]com |
normanbaker1929@gmx[.]com | clausmeyer070@cock[.]li | nud_satanakia@keemail[.]me |
colexpro@keemail[.]me | please@countermail[.]com | cox.barthel@aol[.]com |
precorpman@onionmail[.]org | crashonlycash@gmx[.]com | recovery2021@inboxhub[.]net |
everymoment@tuta[.]io | recovery2021@onionmail[.]org | expertbox@tuta[.]io |
SamuelWhite1821@tutanota[.]com | fastway@tuta[.]io | SaraConor@gmx[.]com |
fquatela@techie[.]com | secdatltd@gmx[.]com | fredmoneco@tutanota[.]com |
skymix@tuta[.]io | getdata@gmx[.]com | sory@countermail[.]com |
greenbookBTC@gmx[.]com | spacegroup@tuta[.]io | greenbookBTC@protonmail[.]com |
stafordpalin@protonmail[.]com | helperfiles@gmx[.]com | starcomp@keemail[.]me |
helpermail@onionmail[.]org | xdone@tutamail[.]com | helpfiles@onionmail[.]org |
xgen@tuta[.]io | helpfiles102030@inboxhub[.]net | xspacegroup@protonmail[.]com |
helpforyou@gmx[.]com | zgen@tuta[.]io | helpforyou@onionmail[.]org |
zodiacx@tuta[.]io |
IP Addresses:
194.165.16[.]4
(October 2023)45.9.74[.]14
(December 2023)147.78.47[.]224
(December 2023)185.202.0[.]111
(September and December 2023)
File Hashes:
- SHA-256 Hashes:
58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6
f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c
482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52
c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763
32a674b59c3f9a45efde48368b4de7e0e76c19e06b2f18afb6638d1a080b2eb3
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66
fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6
a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2
Tactics, Techniques, and Procedures (TTPs)
Phobos typically gains initial access via exposed RDP ports or phishing emails, often followed by brute-force attacks to crack weak passwords. The ransomware uses various methods to maintain persistence and evade detection, including registry modifications and disabling security tools.
Monitoring and Response Recommendations
It is recommended to monitor the email addresses associated with Phobos ransomware rather than blocking them outright. Monitoring these addresses is critical as it allows compromised environments to identify ransomware demands, which are often communicated via these email addresses. Blocking these emails might prevent the organisation from realising they have been compromised, potentially delaying response efforts.
Mitigation Strategies
- Secure RDP: Disable or restrict access to RDP ports. Use VPNs and strong authentication methods.
- Patch Systems: Regularly update software to fix vulnerabilities.
- Endpoint Security: Deploy EDR tools to detect and mitigate threats.
- Network Segmentation: Limit the lateral movement of threats through network segmentation.
- Backup and Recovery: Maintain and regularly test offline backups.
Conclusion
Phobos ransomware continues to be a formidable threat, especially to critical sectors such as healthcare, government, and education. The ransomware's persistent activity throughout 2024 underscores its adaptability and the ongoing risk it poses to organisations worldwide. The detailed Indicators of Compromise (IoCs) provided in this report should be integrated into security systems to enhance detection and response capabilities. By implementing the recommended mitigation strategies, organisations can better protect themselves against this evolving threat. Regular monitoring and proactive security measures are essential to minimise the impact of Phobos ransomware and ensure robust defence against future attacks.
Sources
- CISA - #StopRansomware: Phobos Ransomware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a - Avast - What is Phobos Ransomware and How to Remove It
https://www.avast.com/en-au/business/resources/what-is-phobos-ransomware#pc - Fortinet - Another Phobos Ransomware Variant Launches Attack – FAUST
https://www.fortinet.com/blog/threat-research/phobos-ransomware-variant-launches-attack-faust - Any Run - Malware Analysis Phobos.exe Malicious Activity
https://any.run/report/43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc/766b879b-5e3c-4137-914a-d8f87ce8c3d8