Threat Overview – Phobos
The Phobos Ransomware variant has been active since May of 2019, targeting a variety of entities that include governments, emergency services, critical infrastructure, education and public healthcare. Operating under a RaaS (Ransomware-as-a-Service) model, this ransomware variant has been responsible for the extortion of millions of dollars from victims targeted. Since it was first observed, there have been multiple variants that spun from Phobos; Eking, Eight, Elbie, Devos, Faust, and Backmydata – with Cisco Talos relaying in 2023, that the actors utilizing 8Base ransomware were exploiting a variant of Phobos in their attacks. Known for implementing a variety of initial access vectors, such as phishing campaigns to deliver payloads like SmokeLoader (used to deliver payloads) and exploiting exposed Remote Desktop Protocol (RDP) services through brute-force attacks – eventually leading to the encryption of files below a file size threshold (1.5MB) and partially encrypting any that are above that in order to shorten the time it takes for the encryption stage to complete. On February 2024, CISA, FBI and MS-ISAC released an advisory on Phobos Ransomware as part of an effort against Ransomware variants and to better equip organizations that may be susceptible to infection. Due to the multiple variants that are by-product(s) of Phobos Ransomware, and the very recent advisory from government entities; it is pertinent that an organization understands and prepares for this threat in order to safeguard assets.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Hunt Packages
Autorun or ASEP Registry Key Modification
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the \”run keys\” in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
Windows Management Instrumentation (WMI) Call to delete ShadowCopy via WMIC Command
The intent of this Hunt Package is to identify when the wmic command is utilized to delete shadow copies. The provided logic utilizes the Command Line to identify matching activities as to include the wmic command being executed as a standalone command via wmic.exe or by other applications such as Windows Command Prompt or PowerShell. The wmic command utilizes Windows Management Instrumentation (WMI) to delete the ShadowCopy. This activity is commonly done to disrupt restoration and recovery capabilities.
Delete System Catalog
This content is designed to detect when wbadmin.exe is used to delete a local backup catalog, known to be used by malware to inhibit system recovery.
File Created In Startup Folder
This package is designed to detect the activity around a file being created and put in the Windows Startup Folder.
Shadow Copies Deletion Using Operating Systems Utilities
Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
