The Federal Government has issued an urgent warning following a series of Phobos ransomware attacks targeting cloud service providers in Nigeria. 

The Nigeria Computer Emergency Response Team (nGCERT), which warned of the sharp increase in the so-called Phobos ransomware, says its attacks pose a significant threat to various sectors including government agencies, financial institutions, telecoms, education, healthcare, service providers and NGOs.

The Federal internet security unit, which did not reveal the identity of the affected organisations, says it is working with vulnerable and affected entities to resolve incidents and prevent further escalation.

What is Phobos ransomware?

According to ngCERT, the Phobos ransomware group employs sophisticated tactics to breach networks. These tactics include leveraging phishing campaigns to deliver concealed payloads and exploiting vulnerabilities in Remote Desktop Protocol (RDP) ports using tools like Angry IP Scanner.

Once infiltrated, attackers escalate privileges using tools such as Isaas.exe and cmd.exe, enabling them to deploy Phobos ransomware with elevated permissions. To avoid detection, Phobos modifies firewall configurations, uses evasion tools like Universal Virus Sniffer and Process Hacker, and employs techniques such as token theft and privilege escalation through Windows API functions, according to ngCERT.

ngCERT underscores that the consequences of a successful attack are severe, potentially leading to system compromise, data encryption or exfiltration, financial losses, denial of service, and fraudulent activities using compromised systems.

Phobos ransonware: What are the indicators of compromise (IoCs)?

1. Email: finamtox@zohomail.eu
2. Ransomware Group: Phobos Ransomware Group (Potentially)
3. File Extension: (xshell)
4.FileFormat:filename.id/xxxxxxxxx).email.xshell

Phobos ransonware: Recommended mitigation strategies

To counter this growing threat, ngCERT recommends several mitigation strategies for organizations:

1. Secure RDP Ports: Prevent abuse of RDP tools by securing and monitoring RDP ports.

2. Remediate Vulnerabilities: Prioritise fixing known exploited vulnerabilities.

3. Implement Endpoint Detection Solutions: Disrupt threat actor memory allocation techniques.

4. Disable Command-Line and Scripting Permissions: Restrict unnecessary command-line activities.

5. Segment Networks: Prevent ransomware spread by controlling traffic flows and restricting lateral movement.

6. Review and Audit Accounts: Check domain controllers, servers, workstations, and active directories for new or unrecognised accounts.

7. Access Controls: Configure user accounts with administrative privileges according to the principle of least privilege and implement time-based access for high-level accounts.

8. Recovery Plan: Maintain and retain multiple copies of sensitive data in secure, physically separate locations.

9. Antivirus Software: Regularly update and enable real-time detection on all hosts.

10. Disable Unused Ports and Protocols: Reduce potential entry points for attackers.

11. Email Security: Add banners to emails from outside the organization and disable hyperlinks in received emails.

13. Backup Data: Ensure backup data is encrypted, immutable, and regularly maintained with offline backups.

ngCERT urges organisations, particularly those in critical sectors, to proactively implement these mitigation strategies. The tech security agency says it is collaborating with vulnerable and affected entities to resolve incidents and prevent further escalation. By adopting these measures, organisations can significantly reduce their exposure to ransomware threats and protect their operations and data.