Microsoft® Windows OS
Advisory ID:
July 8, 2024


ngCERT has detected an increase in ransomware attacks by the Phobos ransomware group, specifically targeting critical cloud service providers within our national cyberspace. We are actively collaborating with vulnerable and affected organizations to swiftly resolve these incidents and prevent further escalation. The most at-risk entities include providers of information technology and telecommunication services, such as managed cloud services, whose clients include critical government agencies, financial institutions, telecommunications, education, healthcare, service providers, and NGOs in Nigeria. It is essential for organizations to proactively implement the mitigation strategies outlined in this document to help prevent the spread of the malware.

Description & Consequence

Phobos attackers commonly gain entry into vulnerable networks through phishing campaigns to deliver hidden payloads or by employing IP scanning tools like Angry IP Scanner to identify susceptible Remote Desktop Protocol (RDP) ports. They also leverage RDP in Microsoft Windows environments. Upon discovering an exposed RDP service, they utilize open-source brute force tools to gain access. Alternatively, they deploy spoofed email attachments containing hidden payloads like SmokeLoader to initiate infection. To execute and escalate privileges, Phobos actors execute commands such as 1saas.exe or cmd.exe to install additional Phobos payloads with elevated privileges. They leverage Windows command shell capabilities for system control and utilize Smokeloader in a three-phase process for payload decryption and deployment, ensuring evasive actions against network defenses. Furthermore, to evade detection, Phobos ransomware modifies firewall configurations, utilizes evasion tools like Universal Virus Sniffer and Process Hacker, and employs techniques such as token theft and privilege escalation through Windows API functions. Phobos actors use tools like Bloodhound and Sharphound for active directory enumeration, Mimikatz for credential extraction, and WinSCP/ for file exfiltration. They target various data types for exfiltration, including legal, financial, technical, and database files, which are archived and later exported. After exfiltrating data, Phobos ransomware targets backups by deleting volume shadow copies and encrypts connected drives on the target system. It delivers unique ransom notes and communicates with victims via email, voice calls, and instant messaging platforms, often utilizing onion sites for data hosting and communication.

Indicators of compromise from this attack:

  • Email:
  • Ransomware Group: Phobo Ransomware Group (Potentially)
  • Extension: (.xshell)      
  • File Format:[xxxxxx-xxxx].email.xshell

A successful attack could result to the following:

  1. System Compromise.
  2. Ransom payment.
  3. Data encryption or system lockout.
  4. Data loss and exfiltration.
  5. Financial losses.
  6. Denial of Service (DoS).
  7. Fraudulent activity using compromised systems.


It is therefore recommended that relevant organizations:

  1. Secure RDP ports to prevent threat actors from abusing and leveraging RDP tools.
  2. Prioritize remediating known exploited vulnerabilities.
  3. Implement EDR solutions to disrupt threat actor memory allocation techniques.
  4. Disable command-line and scripting activities and permissions.
  5. Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
  6. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  7. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  8. Implement time-based access for accounts at the admin level and higher.
  9. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud).
  10. Install, regularly update, and enable real time detection for antivirus software on all hosts.
  11. Disable unused ports and protocols.
  12. Consider adding an email banner to emails received from outside your organization.
  13. Disable hyperlinks in received emails.
  14. Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure.
  15. Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices.



Related Articles