Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware

AttackIQ has released a new attack graph in response to the CISA Advisory (AA24-060A) published on February 29, 2024, which disseminates known Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with the Phobos Ransomware variants observed as recently as February 2024. Read More

On February 29, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) which disseminates known Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with the Phobos Ransomware variants observed as recently as February 2024.

This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.

AttackIQ has previously responded to this CISA Advisory on March 1, 2024, with the release of an Assessment Template that emulated the behaviors exhibited by Phobos Ransomware in recent activities.

Phobos is a Ransomware family operated under the Ransomware-as-a-Service (RaaS) business model that has been active since at least May 2019 and, since its emergence, has undergone only minimal developments despite its popularity among criminal groups.

Phobos is an evolution of the Dharma/Crysis ransomware and, according to open-source reporting, is likely connected to numerous variants (including Elking, Eight, Devos, Backmydata, and Faust ransomware) due to similar TTPs observed in related intrusions.

The ransomware operates in conjunction with various open-source and commodity tools such as SmokeLoader, Cobalt Strike, and Bloodhound. These tools are all widely accessible and easy to use in various operating environments, making it (and associated variants) a popular choice for many adversaries.

Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.

AttackIQ has released a new attack graph which includes the various Tactics, Techniques and Procedures (TTPs) exhibited by Phobos ransomware in recent activities with the aim of helping customers validate their security controls and their ability to defend against this sophisticated and recent threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against the behaviors exhibited by a threat that continues to conduct industry-wide ransomware activities.
  • Assess their security posture against activities focused on both exfiltration and encryption of sensitive information.
  • Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.

[CISA AA24-060A] #StopRansomware: Phobos Ransomware

Phobos Ransomware - Attack Graph - FullClick for larger

This attack graph emulates the various Tactics, Techniques and Procedures (TTPs) exhibited by Phobos ransomware during recent activities.

This emulation is based on the Cybersecurity Advisory (CSA) released by CISA and supported by two reports published by Cisco Talos on November 17, 2023, one detailing the technical aspects of the ransomware and the other seeking to understand its affiliate structure.

Phobos Ransomware - Attack Graph - Stage 1Click for larger

This stage begins with the deployment of SmokeLoader, an eCrime backdoor featuring a wide range of capabilities, which is immediately executed through process injection via Native API.

Once executed, it deploys the Phobos ransomware which then proceeds to achieve persistence through registry run keys or, if prevented, through startup folders.

Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Process Injection (T1055): This scenario performs process injection by allocating memory in a running process with VirtualAlloc, writing shellcode to that memory space, and then changing the memory protection option with VirtualProtect.

Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario sets the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key that Windows uses to identify what applications should be run at system startup.

Logon Autostart Execution: Startup Folder (T1547.001): The Startup folder is a directory associated with the Windows Start Menu that can be used to launch a process at Windows logon. This scenario creates a LNK file in this directory that would execute at next Logon for all users.

Phobos Ransomware - Attack Graph - Stage 2Click for larger

This stage begins with the impersonation of a user by duplicating Access Tokens and continues with the use of the SeDebugPrivilege privilege, which grants access to the memory of any process and can be used to bypass access controls or gain full access to the local machine.

Then, the local firewall is disabled through netsh and User Account Control (UAC) is disabled through the registry.

Finally, modifications are made to several accessibility features associated with the Image File Execution Options (IFEO), which allow an attacker to execute an elevated command shell on the system by invoking the accessibility features from the Windows login screen.

Access Token Manipulation (T1134): This scenario lists active access tokens that could be impersonated by another process. This method is commonly used to escalate privileges.

Access Token Manipulation (T1134): This scenario enables the SeDebugPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.

Impair Defenses: Disable or Modify System Firewall (T1562.004): This scenario temporarily disables the Windows Firewall using the netsh advfirewall utility. By disabling the Firewall, the adversary can open up previously blocked incoming or outgoing network connections that could allow for remote access.

Bypass User Account Control (T1548.002): This scenario attempts to disable UAC by modifying the registry value EnableLUA under the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

Event Triggered Execution: Image File Execution Options Injection (T1546.012): These scenarios set Image File Execution Options (IFEO) through registry modifications under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ of a specific process.

Phobos Ransomware - Attack Graph - Stage 3Click for larger

This stage focuses on performing registry modifications to disable certain security features. These are done to enable Remote Desktop connections, unsolicited Remote Assistance, the Negotiate Security Layer Authentication, and disable Network Layer Authentication (NLA) for Remote Desktop connections to the host.

Finally, it proceeds with the attempt to move laterally to remote targets using Remote Desktop Protocol (RDP).

Impair Defenses: Disable or Modify Tools (T1562.001): The registry key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections is set to 0 which will enable remote access to the system using Remote Desktop.

Impair Defenses: Disable or Modify Tools (T1562.001): The registry key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited is set to 1 which will enable unsolicited remote assistance for remote desktop connections to the system

Impair Defenses: Disable or Modify Tools (T1562.001): The registry key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\UserAuthentication is set to 0 which will disable Network Layer Authentication (NLA) for remote desktop connections to the host.

Impair Defenses: Disable or Modify Tools (T1562.001): The registry key HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer is set to 1 which will enable the Network Security Layer Authentication for remote desktop connections to the host.

Remote Desktop Protocol (T1021.001): This scenario will attempt to move laterally to another previously discovered host through Remote Desktop Protocol (RDP) by using the dumped credentials.

Phobos Ransomware - Attack Graph - Stage 4Click for larger

This stage focuses on the identification of relevant information from the compromised environment by enumerating network resources, running processes, and available files and directories through Windows API calls.

Subsequently, the hacktool known as Mimikatz is deployed, which will be used to generate a dump of the LSASS process to retrieve additional credentials that could be used to move laterally.

Finally, the collected information and credentials are compressed and exfiltrated via File Transfer Protocol (FTP).

System Network Connections Discovery (T1049): This scenario performs network resource discovery by calling the WNetEnumResourceW Windows API call to enumerate network resources from the local computer.

Process Discovery (T1057): The Windows API is used to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.

File and Directory Discovery (T1083): This scenario will use the FindFirstFileW, FindNextFileW, and the GetFileSizeEx Windows API calls to enumerate file system.

OS Credential Dumping: LSASS Memory (T1003.001): Uses rundll32.exe with comsvcs.dll to call the MiniDump export that will dump the LSASS process memory to disk. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors. Mimikatz is then used to dump the credentials from that minidump file.

Archive Collected Data: Archive via Utility (T1560.001): This scenario compresses all the specified input files with the given compression level to a .7z archive by executing the 7zip binary file.

Exfiltration Over Alternative Protocol (T1048): This scenario will start an FTP connection against an AttackIQ server to emulate the exfiltration of sensitive information from the compromised system.

Phobos Ransomware - Attack Graph - Stage 5Click for larger

This stage begins with the deletion of Windows event logs using the wevtutil.exe utility and continues with the removal of Volume Shadow Copies using vssadmin.exe in order to hinder recovery efforts.

Subsequently, encryption of relevant files is performed using an encryption suite similar to the one used by Phobos ransomware. The emulation concludes with the execution of a Microsoft HTML Application (HTA) file using MSHTA, thus imitating the way the ransomware displays the ransom note.

Indicator Removal: Clear Windows Event Logs (T1070.001): The scenario will use the wevtutil.exe binary to clear event logs from the system.

Inhibit System Recovery (T1490): This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using a similar encryption routine as the one used by Phobos ransomware.

System Binary Proxy Execution: Mshta (T1218.010): This scenario uses Mshta.exe to execute a local Microsoft HTML Application (HTA) payload.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following scenario to extend the emulation of the capabilities exhibited by Phobos ransomware.

Password Brute-Force: This scenario can be configured to attempt to brute login using Remote Desktop Protocol (RDP) on remote systems with a username and password dictionary.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. OS Credential Dumping: LSASS Memory (T1003.001):

Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process.

2a. Detection

Search for executions of comsvcs.exe that attempt to access the LSASS process.

Process Name == (comsvcs)
Command Line CONTAINS (‘lsass’)

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

3. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

3a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the recent activities carried out by Phobos ransomware affiliates. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a widely distributed and dangerous threat.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.