Phobos Ransomware Group
| Actor Type | Criminal Group |
|---|
According to public reporting, Phobos ransomware has been observed since at least 2019, with researchers also linking the group to the Dharma ransomware. Reporting suggests that the group uses a Ransomware-as-a-Service (RAAS) model, with affiliates responsible for deploying the ransomware in victim environments.
Victims of Phobos have included local and regional government, public services, healthcare and critical infrastructure.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Phobos Ransomware Group Threat Reports
Report
StopRansomware: Phobos Ransomware
This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...
References
blog.talosintelligence.com
https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/www.lemonde.fr
https://www.lemonde.fr/en/pixels/article/2023/11/10/phobos-ransomware-two-russians-arrested-following-a-dozen-attacks-in-france_6244594_13.htmlblog.talosintelligence.com
https://blog.talosintelligence.com/deep-dive-into-phobos-ransomware/malpedia.caad.fkie.fraunhofer.de
https://malpedia.caad.fkie.fraunhofer.de/details/win.phoboswww.cisa.gov
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060awww.malwarebytes.com
https://www.malwarebytes.com/blog/news/2019/07/a-deep-dive-into-phobos-ransomwareMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1555 | Credentials from Password Stores | Credential Access |
| T1562 | Impair Defenses | Defense Evasion |
| T1027.002 | Software Packing | Defense Evasion |
| T1001.003 | Protocol Impersonation | Command and Control |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1204.002 | Malicious File | Execution |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1219 | Remote Access Software | Command and Control |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1110 | Brute Force | Credential Access |
| T1560 | Archive Collected Data | Collection |
| T1059.003 | Windows Command Shell | Execution |
| T1082 | System Information Discovery | Discovery |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1055.004 | Asynchronous Procedure Call | Defense Evasion, Privilege Escalation |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1588.002 | Tool | Resource Development |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1657 | Financial Theft | Impact |
| T1490 | Inhibit System Recovery | Impact |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1486 | Data Encrypted for Impact | Impact |
| T1057 | Process Discovery | Discovery |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1055.002 | Portable Executable Injection | Defense Evasion, Privilege Escalation |
| T1106 | Native API | Execution |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1595.001 | Scanning IP Blocks | Reconnaissance |
| T1134.002 | Create Process with Token | Defense Evasion, Privilege Escalation |
| T1218.005 | Mshta | Defense Evasion |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1083 | File and Directory Discovery | Discovery |
| T1047 | Windows Management Instrumentation | Execution |
| T1134.001 | Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
| T1087.002 | Domain Account | Discovery |
| T1555.005 | Password Managers | Credential Access |
| T1003.001 | LSASS Memory | Credential Access |
| T1593 | Search Open Websites/Domains | Reconnaissance |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1598 | Phishing for Information | Reconnaissance |
| T1585 | Establish Accounts | Resource Development |
| T1071.002 | File Transfer Protocols | Command and Control |