Organizations across the U.S. have been warned by the FBI, Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center regarding intrusions involving various Phobos ransomware variants dubbed Faust, Backmydata, Elking, Eight, and Devos, against healthcare, education, government, and critical infrastructure entities, according to Security Affairs.
Vulnerable remote desktop protocol ports targeted via phishing campaigns have been leveraged by threat actors to facilitate initial network access and the deployment of remote access tools, noted the agencies in a joint cybersecurity advisory. "After SmokeLoader's hidden payload is downloaded onto the victim’s system, threat actors use the malware's functionality to download the Phobos payload and exfiltrate data from the compromised system," said the agencies. Attackers were also noted by the advisory to have used numerous tools to enable network defense protocol evasion, persistence, and data exfiltration activities. Data backups have also been targeted by the Phobos ransomware-as-a-service operation, the advisory added.