CISA & FBI Releases TTPs & IOCs Used by Phobos Ransomware Group

The FBI, CISA, and MS-ISAC are urging critical infrastructure organizations to be vigilant against Phobos ransomware. 

This advisory is part of the #StopRansomware initiative, providing defenders with details on Phobos ransomware, including its tactics, indicators of compromise, and mitigation strategies.

This ransomware-as-a-service (RaaS) has been observed targeting various sectors since May 2019, including:

  • Municipal and county governments
  • Emergency services
  • Education
  • Public healthcare

Recent Phobos attacks, reported as of February 2024, highlight the need for heightened awareness and strong security measures.

Technical Details

Phobos actors search for exposed RDP ports or send phishing emails with hidden malware.

They use brute-force tools to crack passwords or establish remote connections. Once inside, they research the victim to understand their network and steal data

Phobos attackers execute files like 1saas.exe or cmd.exe to install additional malware with administrator-level permissions. 

This lets them perform various actions on Windows systems, giving them wide control over the infected machine.

Phobos uses a three-stage process to deploy additional malware through Smokeloader:

  1. Injection: Smokeloader manipulates system functions to inject malicious code into running processes, bypassing security tools.
  2. Obfuscation: It uses a “stealth process” to hide its communication with its control server by masking it as requests to legitimate websites.
  3. Payload Delivery: Finally, it extracts a malicious payload from memory and prepares it for deployment.

This allows attackers to download additional malware onto the compromised system. Also, Phobos actors use commands to shut down the system’s firewall.

They employ tools like Universal Virus Sniffer, Process Hacker, and PowerTool to hide their activities from security software.


Phobos actors seek backups after exfiltration. They find and delete Windows volume shadow copies using vssadmin.exe and WMIC. After encryption, victims cannot restore files.

Phobos.exe may encrypt all target host logical disks. Phobos ransomware executables have unique build IDs, affiliate IDs, and embedded ransom notes. Phobos ransomware searches for and encrypts further files once the ransom letter appears.

Email is the primary method of extortion; however, some affiliate organizations phone victims. Phobos actors may name victims and host stolen data on Onion sites. Phobos actors interact using ICQ, Jabber, and QQ. Lists Phobos affiliates Devos, Eight, Elbie, Eking, and Faust’s email providers.

  • Secure remote access software.
  • Implement application controls.
  • Use intrusion detection systems.
  • Limit RDP usage and enforce best practices.
  • Review accounts and disable unnecessary permissions.
  • Implement backups and recovery plans.
  • Enforce strong password policies and multi-factor authentication.
  • Segment networks and monitor for abnormal activity.
  • Update antivirus software and disable unused ports and protocols.
  • Consider email security measures like banners and disabled hyperlinks.
  • Encrypt and protect backups.

Validate defenses:

  • Test security controls against the MITRE ATT&CK framework.
  • Regularly refine security programs based on the test results.

You cam check the complete IOC here.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.