#StopRansomware: Phobos Ransomware

The Phobos ransomware, a ransomware-as-a-service (RaaS) model, has been observed targeting state, local, tribal, and territorial governments, as well as critical infrastructure entities, since May 2019. Phobos actors use phishing campaigns, IP scanning tools, and brute force attacks on exposed RDP ports to gain initial access to vulnerable networks. They also use various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound to maintain persistence and escalate privileges within compromised environments. Phobos ransomware variants, including Elking, Eight, Devos, Backmydata, and Faust, have been linked to Phobos due to similar tactics, techniques, and procedures (TTPs) observed in Phobos intrusions. The ransomware uses commands to delete volume shadow copies, disable Windows Firewall, and set the system's boot status policy to ignore all failures. It also deletes the system's backup catalog and displays a ransom note to the end user. Phobos actors use various email providers for communication and exfiltration, and they have been known to list victims and host stolen data on onion sites.