ThreatThursday - Phobos Ransomware

#ThreatThursday - Phobos Ransomware

Welcome to another #ThreatThursday! This time we are looking at the Phobos Ransomware that has been attacking and extorting small and medium businesses for payouts averaging $54,700 according to CoveWare. As usual, we will consume Cyber Threat Intelligence and map it to MITRE ATT&CK. We will create an adversary emulation plan, share it on our Community Threats Github, and we will show how to Attack, Detect, and Respond to Phobos attacks.

Cyber Threat Intelligence

Our Cyber Threat Intelligence for Phobos comes from a company that is familiar with ransomware incident response, BlackBerry. They posted a blog with procedure level data related to the tactics, techniques, and procedures (TTPs) observed during an incident they were working on. We consumed that report and mapped it to MITRE ATT&CK. You can find the MITRE ATT&CK Navigator layer on our Community Threats GitHub.

Below is a table with the mapping:

Tactics Techniques
Description Phobos is a ransomware-as-a-service that has been active since 2018 targeting small and medium businesses. Phobos is the rebranding of CrySIS and Dharma after their encryption keys were leaked.
Initial Access T1566 - Phishing Emails
T1078 - Valid Accounts via Remote Desktop Protocol
Execution T1059.003 - Command and Scripting Interpreter: Windows Command Shell
T1047 - Windows Management Instrumentation
Command and Control T1071 - Application Layer Protocol: HTTPS
T1573 - Encrypted Channel: HTTPS
T1219 - Remote Access Software
Defense Evasion T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1218.005 - Signed Binary Proxy Execution: Mshta
Persistence T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Impact T1486 - Data Encrypted for Impact
T1489 - Service Stop
T1490 - Inhibit System Recovery
T1491.001 - Internal Defacement

Adversary Emulation 

The adversary emulation plan comes in at 37 steps with some interesting procedures we will discuss in this section. If you want to follow along, download the Phobos plan from our Community Threats GitHub

Automated Emulation with SCYTHE

SCYTHE users will be able to import and run the threat by following these simple steps:

  1. Download and import the threat in JSON format to your SCYTHE instance 
  2. Download the Virtual File System (VFS) files under the VFS folder
  3. Upload the VFS files to your SCYTHE VFS in the following location: VFS:/shared/Phobos
  4. Create a new campaign
  5. Import from Existing Threat: Phobos
  6. Launch Campaign
  7. Download the 32-bit EXE payload generated by SCYTHE 
  8. Rename the file to horsemoney.exe
  9. Execute horsemoney.exe with elevated privileges

Manual Execution

If you are not a SCYTHE user, you can manually execute some of the procedures from a command prompt. The Phobos ransomware was designed to run with elevated privileges. Running the horsemoney.exe that SCYTHE generates will automatically try to elevate privileges. If you are doing this manually, you will need to open an elevated command prompt. Here is what an end user would see if Phobos runs with non-admin privileges:

Privilege escalation is done by simply prompting the end user with UAC. SCYTHE does this through the automation language to determine if it is already running with administrative privileges:

  • Step 3 checks if the process is running with administrative privileges: controller --integrity
  • Step 4 makes a decision: if running elevated, go to step 9
  • Step 5 will load the elevation module: loader --load elevate
  • Step 6 will elevate privileges like Phobos ransomware does: elevate --prompt
  • Step 7 will check if the privilege escalation worked: controller --integrity
  • If it did not, another decision is made: if not running elevated, go to step 20

If running with local administrator privileges, Phobos and the SCYTHE threat attempts to evade defenses by Impair Defenses: Disable or Modify System Firewall (T1562.004) and Inhibit System Recovery (T1490):

  • vssadmin delete shadows /all /quiet
  • netsh advfirewall set currentprofile state off
  • netsh firewall set opmode mode=disable
  • wmic shadowcopy delete
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures
  • bcdedit /set {default} recoveryenabled no
  • wbadmin delete catalog -quiet

It then tries to persist when running as a local admin or a non-admin user by adding registry keys to execute files it copies to disk:

  • "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\StartUp\horsemoney.exe"
  • "%LocalAppData%\horsemoney.exe"
  • "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\horsemoney.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Windows\CurrentVersion\Run\horsem
  • HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Windows\CurrentVersion\Run\horsemoney

Lastly, it encrypts files with a .HORSEMONEY extension and opens the ransom note with a Signed Binary Proxy Execution: Mshta (T1218.005):

  • mshta.exe "%USERPROFILE%\Desktop\Phobos\info.hta"
Image from coveware.com

Detect & Respond

Instead of providing the same ransomware defenses you can see from the Ransomware Task Force, we want to cover note items observed from the Phobos ransomware that are not common from other ransomware we track:

  • Assumes execution will be from a user that is local administrator
  • Does not exfiltrate data to perform double extortion - posting leaks to entice the target to pay
  • Uses mshta.exe to open the ransom note - most threat actors use mshta.exe for initial execution/access

To defend against these procedures, we recommend:

Conclusion 

Phobos is a ransomware that goes after small and medium businesses with payouts averaging in the 5 figures. They are not very sophisticated compared to other threats we have covered in #ThreatThursday but do have some unique traits we focus on in this post. We consumed Cyber Threat Intelligence and mapped it to MITRE ATT&CK. We created and shared an adversary emulation plan on our Community Threats Github, and we covered how to Attack, Detect, and Respond to Phobos attacks. If you need help running a Purple Team Exercise or want a demo of SCYTHE, let us know.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.