#ThreatThursday - Phobos Ransomware

    Welcome to another #ThreatThursday! This time we are looking at the Phobos Ransomware that has been attacking and extorting small and medium businesses for payouts averaging $54,700 according to CoveWare. As usual, we will consume Cyber Threat Intelligence and map it to MITRE ATT&CK. We will create an adversary emulation plan, share it on our Community Threats Github, and we will show how to Attack, Detect, and Respond to Phobos attacks.

    Cyber Threat Intelligence

    Our Cyber Threat Intelligence for Phobos comes from a company that is familiar with ransomware incident response, BlackBerry. They posted a blog with procedure level data related to the tactics, techniques, and procedures (TTPs) observed during an incident they were working on. We consumed that report and mapped it to MITRE ATT&CK. You can find the MITRE ATT&CK Navigator layer on our Community Threats GitHub.

    Below is a table with the mapping:

    Tactics Techniques
    Description Phobos is a ransomware-as-a-service that has been active since 2018 targeting small and medium businesses. Phobos is the rebranding of CrySIS and Dharma after their encryption keys were leaked.
    Initial Access T1566 - Phishing Emails
    T1078 - Valid Accounts via Remote Desktop Protocol
    Execution T1059.003 - Command and Scripting Interpreter: Windows Command Shell
    T1047 - Windows Management Instrumentation
    Command and Control T1071 - Application Layer Protocol: HTTPS
    T1573 - Encrypted Channel: HTTPS
    T1219 - Remote Access Software
    Defense Evasion T1562.004 - Impair Defenses: Disable or Modify System Firewall
    T1218.005 - Signed Binary Proxy Execution: Mshta
    Persistence T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    Impact T1486 - Data Encrypted for Impact
    T1489 - Service Stop
    T1490 - Inhibit System Recovery
    T1491.001 - Internal Defacement

    Adversary Emulation 

    The adversary emulation plan comes in at 37 steps with some interesting procedures we will discuss in this section. If you want to follow along, download the Phobos plan from our Community Threats GitHub

    Automated Emulation with SCYTHE

    SCYTHE users will be able to import and run the threat by following these simple steps:

    1. Download and import the threat in JSON format to your SCYTHE instance 
    2. Download the Virtual File System (VFS) files under the VFS folder
    3. Upload the VFS files to your SCYTHE VFS in the following location: VFS:/shared/Phobos
    4. Create a new campaign
    5. Import from Existing Threat: Phobos
    6. Launch Campaign
    7. Download the 32-bit EXE payload generated by SCYTHE 
    8. Rename the file to horsemoney.exe
    9. Execute horsemoney.exe with elevated privileges

    Manual Execution

    If you are not a SCYTHE user, you can manually execute some of the procedures from a command prompt. The Phobos ransomware was designed to run with elevated privileges. Running the horsemoney.exe that SCYTHE generates will automatically try to elevate privileges. If you are doing this manually, you will need to open an elevated command prompt. Here is what an end user would see if Phobos runs with non-admin privileges:

    Privilege escalation is done by simply prompting the end user with UAC. SCYTHE does this through the automation language to determine if it is already running with administrative privileges:

    • Step 3 checks if the process is running with administrative privileges: controller --integrity
    • Step 4 makes a decision: if running elevated, go to step 9
    • Step 5 will load the elevation module: loader --load elevate
    • Step 6 will elevate privileges like Phobos ransomware does: elevate --prompt
    • Step 7 will check if the privilege escalation worked: controller --integrity
    • If it did not, another decision is made: if not running elevated, go to step 20

    If running with local administrator privileges, Phobos and the SCYTHE threat attempts to evade defenses by Impair Defenses: Disable or Modify System Firewall (T1562.004) and Inhibit System Recovery (T1490):

    • vssadmin delete shadows /all /quiet
    • netsh advfirewall set currentprofile state off
    • netsh firewall set opmode mode=disable
    • wmic shadowcopy delete
    • bcdedit /set {default} bootstatuspolicy ignoreallfailures
    • bcdedit /set {default} recoveryenabled no
    • wbadmin delete catalog -quiet

    It then tries to persist when running as a local admin or a non-admin user by adding registry keys to execute files it copies to disk:

    • "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\StartUp\horsemoney.exe"
    • "%LocalAppData%\horsemoney.exe"
    • "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\horsemoney.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Windows\CurrentVersion\Run\horsem
    • HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Windows\CurrentVersion\Run\horsemoney

    Lastly, it encrypts files with a .HORSEMONEY extension and opens the ransom note with a Signed Binary Proxy Execution: Mshta (T1218.005):

    • mshta.exe "%USERPROFILE%\Desktop\Phobos\info.hta"
    Image from coveware.com

    Detect & Respond

    Instead of providing the same ransomware defenses you can see from the Ransomware Task Force, we want to cover note items observed from the Phobos ransomware that are not common from other ransomware we track:

    • Assumes execution will be from a user that is local administrator
    • Does not exfiltrate data to perform double extortion - posting leaks to entice the target to pay
    • Uses mshta.exe to open the ransom note - most threat actors use mshta.exe for initial execution/access

    To defend against these procedures, we recommend:

    Conclusion 

    Phobos is a ransomware that goes after small and medium businesses with payouts averaging in the 5 figures. They are not very sophisticated compared to other threats we have covered in #ThreatThursday but do have some unique traits we focus on in this post. We consumed Cyber Threat Intelligence and mapped it to MITRE ATT&CK. We created and shared an adversary emulation plan on our Community Threats Github, and we covered how to Attack, Detect, and Respond to Phobos attacks. If you need help running a Purple Team Exercise or want a demo of SCYTHE, let us know.

    This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

    Jorge Orchilles
    Post by Jorge Orchilles
    September 9, 2021

    Comments