BlackBerry Prevents: Phobos Ransomware

RESEARCH & INTELLIGENCE / 09.02.21 / The BlackBerry Research and Intelligence Team

Phobos is an older ransomware family that targets small to medium organizations in a wide range of industries, including healthcare. Attackers usually demand much lower ransom amounts than other ransomware families, which may appear more affordable to victims and increase the likelihood of payment. Ransomware incident response company Coveware reports that the average Phobos payment amount in July 2021 was approximately $54,700.

Phobos attacks have two main infection vectors: email phishing campaigns with malicious attachments, or gaining access to the system over Remote Desktop Protocol (RDP). Attackers obtain RDP credentials by a variety of different methods. They can conduct brute force attacks, leverage stolen credentials purchased from darknet marketplaces, or they can identify open, poorly configured, or vulnerable connections that can be exploited. After gaining a foothold in the environment, the threat actor will attempt to move laterally via RDP.

Phobos actors are known to prefer targeting servers rather than end user computers when deploying their ransomware attack.

DEMO VIDEO: BlackBerry vs. Phobos Ransomware

BlackBerry Cyber Suite and BlackBerry Guard stop these attacks.

BlackBerry customers can feel confident that our AI-driven BlackBerry® Cyber Suite, as well as our Managed Detection & Response (MDR) solution BlackBerry® Guard, are well-equipped to mitigate the risks posed by threat actors such as those behind Phobos ransomware:

BlackBerry® Protect provides automated malware prevention, application and script control, memory protection, and device policy enforcement.
BlackBerry® Optics extends the threat prevention by using artificial intelligence (AI) to prevent security incidents. It provides true AI incident prevention, root cause analysis, smart threat hunting, and automated detection and response capabilities.
- BlackBerry recommends activating the following BlackBerry Optics rules to provide additional telemetry from a Phobos ransomware attack:
  - Win Netsh Usage MITRE T1059
  - Win Netsh Firewall Manipulation MITRE T1562
  - Win Netsh DLL Persistence MITRE T1546
  - Win Inhibit System Recovery MITRE T1490
  - Win FileExtensions LocalSystemCollection NonSYS MITRE T1005
  - Win FileExtensions LocalSystemCollection MITRE T1005
  - Win FileCreate Startup Folder MITRE T1547
  - Win BootRecoveryMeasure Deletion MITRE T1107
  - Win Boot Persist Mitre T1547
  - Shadow File Deletion (MITRE)
The BlackBerry Mobile Threat Defense (MTD) solution prevents and detects advanced malicious threats at the device and application levels. It combines the mobile endpoint management capabilities of BlackBerry® Unified Endpoint Manager (UEM) with advanced AI-driven threat protection, to get in front of malicious cyberattacks in a Zero Trust environment.
BlackBerry® Persona creates trust based on behavior analytics, app usage, and network and process invocation patterns. It uses adaptive risk scoring to provide continuous authentication.
BlackBerry Guard customers are proactively protected from Phobos malware attacks. Our 24/7 MDR solution customers receive:
- Alerts monitored in real-time
- Corrective policies applied while discovering gaps in policy implementation
- Prioritized threat hunting
- The latest threat intelligence for fast-moving threats

Prevention First

At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain.

By stopping malware at this stage, BlackBerry® solutions help organizations increase their resilience. It also helps reduce infrastructure complexity and streamline security management to ensure your business, people, and endpoints are secure.

BlackBerry Assistance

The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure.

For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form.

Learn more about Phobos ransomware in our new Threat Thursday blog, Who's Afraid of Phobos Ransomware?

Demo Video Transcription:

"In this video, we will be detonating Phobos, a well-known ransomware family named after the Greek god of fear. This ransomware utilizes the same infection vectors as many others such as RDP, stolen credentials, or the traditional phishing email, primarily affecting businesses of all sizes.

We have obtained a fresh sample from August 31^st and configured this machine in audit-only mode to allow the file to run. Upon execution, Phobos disables the host firewall and copies itself to two other locations on the hard drive, finally presenting the ransom note to the victim with information on what has happened and next steps for them to take.

If we go into BlackBerry Optics, our AI-based Endpoint Detection and Response (EDR) solution, we can see all the different actions taken by this malware, such as the use of Netsh to disable the firewall, and multiple ways to delete the shadow copy via WMIC, VSSadmin, and WBadmin to make sure operating system recovery is not as simple as performing a quick restore.

Phobos also comes with password-stealing functionality that tries to dump credentials from browsers and multiple commonly used applications.

Making an inspection, if we go into root-cause analysis, we can also see that Phobos creates persistence points by modifying entries in the registry.

Administrators can configure automated response within our Context-Analysis Engine (CAE) to proactively respond to each one of these tactics, techniques, and procedures (TTPs) and stop this threat in the earliest stage possible. But nothing beats the BlackBerry Temporal Predictive Advantage, which allows us to prevent these threats from executing in a matter of milliseconds, with no reliance on cloud connectivity or frequent virus-signature updates.

Let's travel back in time to 2015 (using a Cylance mathematical model not updated since 2015) and test this sample, along with an additional 85 samples of Phobos, to see what could have happened. We will execute a loop to go ahead and try to execute each file inside this folder.

As you can see, our Cylance® AI models that power BlackBerry Protect could have prevented all these variants many years before they ever existed.

Prevention is Possible, with BlackBerry."

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.

Whether it's identifying new vulnerabilities or staying ahead of sophisticated attack tactics, we are dedicated to securing your digital assets with cutting-edge research and innovative solutions.

Back