#ThreatThursday - Phobos Ransomware

Welcome to another #ThreatThursday! This time we are looking at the Phobos Ransomware that has been attacking and extorting small and medium businesses for payouts averaging $54,700 according to CoveWare. As usual, we will consume Cyber Threat Intelligence and map it to MITRE ATT&CK. We will create an adversary emulation plan, share it on our Community Threats Github, and we will show how to Attack, Detect, and Respond to Phobos attacks.

Cyber Threat Intelligence

Our Cyber Threat Intelligence for Phobos comes from a company that is familiar with ransomware incident response, BlackBerry. They posted a blog with procedure level data related to the tactics, techniques, and procedures (TTPs) observed during an incident they were working on. We consumed that report and mapped it to MITRE ATT&CK. You can find the MITRE ATT&CK Navigator layer on our Community Threats GitHub.

Below is a table with the mapping:

Adversary Emulation 

The adversary emulation plan comes in at 37 steps with some interesting procedures we will discuss in this section. If you want to follow along, download the Phobos plan from our Community Threats GitHub. 

Automated Emulation with SCYTHE

SCYTHE users will be able to import and run the threat by following these simple steps:

1. Download and import the threat in JSON format to your SCYTHE instance 
2. Download the Virtual File System (VFS) files under the VFS folder
3. Upload the VFS files to your SCYTHE VFS in the following location: VFS:/shared/Phobos
4. Create a new campaign
5. Import from Existing Threat: Phobos
6. Launch Campaign
7. Download the 32-bit EXE payload generated by SCYTHE 
8. Rename the file to horsemoney.exe
9. Execute horsemoney.exe with elevated privileges

Manual Execution

If you are not a SCYTHE user, you can manually execute some of the procedures from a command prompt. The Phobos ransomware was designed to run with elevated privileges. Running the horsemoney.exe that SCYTHE generates will automatically try to elevate privileges. If you are doing this manually, you will need to open an elevated command prompt. Here is what an end user would see if Phobos runs with non-admin privileges:

Privilege escalation is done by simply prompting the end user with UAC. SCYTHE does this through the automation language to determine if it is already running with administrative privileges:

• Step 3 checks if the process is running with administrative privileges: controller --integrity
• Step 4 makes a decision: if running elevated, go to step 9
• Step 5 will load the elevation module: loader --load elevate
• Step 6 will elevate privileges like Phobos ransomware does: elevate --prompt
• Step 7 will check if the privilege escalation worked: controller --integrity
• If it did not, another decision is made: if not running elevated, go to step 20
  

If running with local administrator privileges, Phobos and the SCYTHE threat attempts to evade defenses by Impair Defenses: Disable or Modify System Firewall (T1562.004) and Inhibit System Recovery (T1490):

• vssadmin delete shadows /all /quiet
• netsh advfirewall set currentprofile state off
• netsh firewall set opmode mode=disable
• wmic shadowcopy delete
• bcdedit /set {default} bootstatuspolicy ignoreallfailures
• bcdedit /set {default} recoveryenabled no
• wbadmin delete catalog -quiet

It then tries to persist when running as a local admin or a non-admin user by adding registry keys to execute files it copies to disk:

• "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\StartUp\horsemoney.exe"
• "%LocalAppData%\horsemoney.exe"
• "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\horsemoney.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Windows\CurrentVersion\Run\horsem
• HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Windows\CurrentVersion\Run\horsemoney
  

Lastly, it encrypts files with a .HORSEMONEY extension and opens the ransom note with a Signed Binary Proxy Execution: Mshta (T1218.005):

• mshta.exe "%USERPROFILE%\Desktop\Phobos\info.hta"

Detect & Respond

Instead of providing the same ransomware defenses you can see from the Ransomware Task Force, we want to cover note items observed from the Phobos ransomware that are not common from other ransomware we track:

• Assumes execution will be from a user that is local administrator
• Does not exfiltrate data to perform double extortion - posting leaks to entice the target to pay
• Uses mshta.exe to open the ransom note - most threat actors use mshta.exe for initial execution/access

To defend against these procedures, we recommend:

• Do not allow users to use accounts with local administrator privileges for daily tasks. Even administrators should have a daily account and a privileged account.
• Enable multi-factor authentication everywhere. CISA recently added single factor authentication as a very bad practice. 
• Block execution of mshta.exe - we rarely see environments that leverage this LOLBAS for real solutions.

Conclusion 

Phobos is a ransomware that goes after small and medium businesses with payouts averaging in the 5 figures. They are not very sophisticated compared to other threats we have covered in #ThreatThursday but do have some unique traits we focus on in this post. We consumed Cyber Threat Intelligence and mapped it to MITRE ATT&CK. We created and shared an adversary emulation plan on our Community Threats Github, and we covered how to Attack, Detect, and Respond to Phobos attacks. If you need help running a Purple Team Exercise or want a demo of SCYTHE, let us know.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.