Day 9: Phobos Ransomware

Phobos ransomware targets remote desktops on port 3389, which is a legitimate protocol system administrators use to access servers remotely. The problem is internet-facing servers including cloud servers or demilitarized zone (DMZ) infrastructure are not secured. Cloud service providers can enable RDP to any public IP address on the internet allowing users to access any public computer if they know the username and password. Issues arise when system administrators or users use weak and guessable passwords that are easily hacked and vulnerable to brute force attacks. Threat actors can scan and access the ports using weak or illegally obtained login information. Threat actors obtain information about the exposed RDP server ports by querying extensive IP ranges using botnets. The threat actors configure the botnets to search for systems with port 3389 open and conduct a brute force attack on the RDP session guessing the password once they identify the port. Once the threat actors have access to the compromised servers, they copy and execute the ransomware payload with administrator privileges. Threat actors would download and implement hacking tools to disable, terminate, and unregister antivirus programs. According to SpearTip’s investigation, two variants of Phobos, EKING and Makop, are used to infect the victim’s systems through a Mircosoft Word document with a malicious Marco, encrypt the files and demand a ransom to decrypt the files.