TLDR:
- CISA has issued a warning about the Phobos ransomware targeting state and local government organizations.
- The ransomware-as-a-service provider has been increasing attacks on municipal and county governments, healthcare systems, and other critical infrastructure since 2019.
The Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory warning state and local government organizations about the threat of Phobos ransomware. Phobos, a ransomware-as-a-service provider, has been targeting IT systems of various public sector entities, including municipal and county governments, emergency services, education institutions, and healthcare systems. Ransomware-as-a-service allows individuals with minimal technical expertise to launch ransomware attacks using pre-developed tools.
Since 2019, the frequency of ransomware-as-a-service cyberattacks across the public sector has been increasing. Phobos ransomware, while considered “pretty standard” in its operations, has successfully extracted several million U.S. dollars in ransom payments from victims. The average ransomware payment for Phobos incidents is around $38,100 according to a 2021 report by the U.S. Department of Health & Human Services.
The CISA advisory highlights that Phobos ransomware primarily uses phishing and gaining direct access through the Remote Desktop Protocol to gain system access. Phishing campaigns, like those utilized by Phobos, are effective due to exploiting human weaknesses. To combat these tactics, experts suggest the use of generative artificial intelligence for both offense and defense in cybersecurity measures.
Once Phobos gains access to a system, it installs itself in key locations and targets user files and network shares for encryption. Victims are then demanded ransom in exchange for a decryption key, as no Phobos decryptor is publicly available. CISA recommends securing Remote Desktop Protocol, using strong passwords and account lockout policies, implementing multi-factor authentication, using virtual private networks, and regularly updating software to prevent ransomware attacks.