CISA warns state, local government about Phobos ransomware

The Cybersecurity and Infrastructure Security Agency on Thursday released an advisory warning of known cyberattack techniques and indicators of compromise to help public sector organizations better protect themselves against ransomware, specifically from the threat actor Phobos.

The advisory says that since 2019, Phobos, a ransomware-as-a service provider, has targeted the IT systems of municipal and county governments, emergency services, education institutions, public health care systems and other critical infrastructure. Ransomware-as-a-service, or RaaS, allows those with minimal technical expertise to launch ransomware attacks by using pre-developed tools.

Randy Rose, vice president of security operations and intelligence at the Center for Internet Security, an Upstate New York nonprofit that runs the federally funded Multi-State Information Sharing and Analysis Center, said he’s seen a growing frequency of RaaS cyberattacks across the public sector in recent years.

“Phobos is pretty standard ransomware,” Rose told StateScoop. “We do see them across the [state, local, tribal and territorial] sector, which is one of the reasons why we pay a lot of attention to them.”

Though CISA and other federal agencies advise against fulfilling ransomware payments, as they do not guarantee that data obtained by hackers will no longer be compromised or lead to a restoration of services and data, CISA says Phobos has extracted several million U.S. dollars in ransomware payments from its victims.

According to a 2021 report by the U.S. Department of Health & Human Services, the average Phobos ransomware payment is approximately $38,100.

“Phobos ransomware incidents impacting state, local, tribal, and territorial governments have been regularly reported to the [Multi-State Information Sharing and Analysis Center],” the advisory states, though it’s unclear how many ransomware incidents Phobos can claim.

In 2023, Security Affairs reported that “experts attributed 67 attacks to the group in May 2023,” with most of its victims located in the U.S. or Brazil.

Ransomware techniques

The CISA advisory says Phobos ransomware uses two main techniques to gain system access. One is phishing, the practice of stealing account login details by tricking people into opening malicious email attachments. The other is gaining direct access using the Remote Desktop Protocol, a Microsoft network tool that allows users to control computers remotely.

Rose said that phishing campaigns, like the kind Phobos ransomware uses, are by far the most common and effective tactic used in cyberattacks, not because they’re the easiest to deploy, but because they take advantage of human weaknesses.

“Phishing is a social engineering attack, right? We like to click on things [because] we’re curious people, we’re curious creatures. And we’re also easily manipulated,” Rose said. “It’s why magicians still fool people and mentalists and illusionists and people who talk to the dead, like we want to believe these kinds of things.”

He also said phishing emails are getting harder and harder to detect, in part, due to generative artificial intelligence.

“Generative AI can help you write a phishing email that’s extremely convincing,” Rose said. “I don’t think we’re going to see the end of phishing being the intrusion vector of choice for these actors, just simply because it’s so effective. And because now we have these tools that are essentially making it more effective.”

Generative AI for ransomware defense

Rose said he believes generative AI can also be used to combat more sophisticated phishing campaigns.

“I think gen AI is going to help us on the defense side significantly,” Rose said. “We’re going to be able to see things that nobody else that no human could detect on their own, and we’ll use AI to help detect and prevent those.”

Once Phobos gains access, the advisory says, the ransomware installs itself in key locations, such as the Windows Startup folder, and creates new registry keys in the operating system. It then targets local user files and network shares and monitors for new files that meet the requirements for encryption, including documents, commonly used folders and other media. The attacker then demands ransom from its victims in exchange for a decryption key.

Since no Phobos decryptor exists other than those held by the ransomware’s creators, CISA recommends securing Remote Desktop Protocol, using strong passwords and account lockout policies, using multi-factor authentication, using virtual private networks and regularly updating software — all long-established best practices in information security.