Phobos Ransomware Targeting U.S. Government and Critical Infrastructure

In a recent advisory, U.S. cybersecurity and intelligence agencies have issued warnings regarding the escalating threat by Phobos ransomware targeting government and critical infrastructure entities. The advisory, jointly released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), outlines the sophisticated tactics and techniques employed by threat actors to deploy this file-encrypting malware.


Phobos ransomware operates under a ransomware-as-a-service (RaaS) model, targeting entities, including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure. Since its emergence in May 2019, Phobos has evolved into multiple variants, such as Eking, Eight, Elbie, Devos, Faust, and Backmydata, each posing significant financial risks to victims.

Modus Operandi

The attack chain typically begins with phishing emails or exploiting vulnerabilities in Remote Desktop Protocol (RDP) services to gain initial access. Once inside the network, threat actors deploy stealthy payloads like SmokeLoader and employ process injection techniques to execute malicious code while evading detection. Phobos actors have also demonstrated a penchant for leveraging built-in Windows API functions to escalate privileges and authenticate using cached password hashes.

Advanced Techniques

Evidence suggests that Phobos ransomware is centrally managed, with a controlling authority retaining the private decryption key. The threat actors behind Phobos have been observed using open-source tools like Bloodhound and Sharphound to enumerate active directories while utilizing WinSCP and for file exfiltration. Moreover, the attackers deploy tactics to delete volume shadow copies, making data recovery more challenging for victims.

Recent Incidents

In a separate incident, Bitdefender reported a coordinated ransomware attack attributed to a group known as CACTUS. This attack, characterized by its synchronized and multifaceted nature, targeted two independent companies simultaneously. Notably, CACTUS actors expanded their focus to exploit vulnerabilities in virtualization infrastructure, underscoring the evolving tactics of ransomware groups.

Implications and Recommendations

Ransomware remains a lucrative venture for threat actors, with demands reaching a median of $600,000 in 2023. However, paying the ransom does not guarantee data recovery or protection against future attacks. Organizations are urged to enhance their cybersecurity posture by implementing robust defense mechanisms, conducting regular security assessments, and prioritizing employee awareness training.

Protect your data with PC Matic Pro. PC Matic Application Allowlisting prevents cybercriminals from running malware or ransomware, like Phobos and CACTUS, on your network and endpoints to disrupt operations, steal sensitive data, encrypt files, or hold critical digital assets for ransom.


The proliferation of ransomware, exemplified by threats like Phobos and CACTUS, underscores the critical need for proactive cybersecurity measures. By staying informed about emerging threats, adopting best practices, and fostering collaboration with cybersecurity experts, organizations can mitigate the risks posed by ransomware attacks and safeguard their digital assets.

Read more about Phobos ransomware here.

PC Matic delivers complete home and business cybersecurity protection against ransomware, malware, identity theft, online tracking, data breaches, and more. For over 20 years, PC Matic’s award-winning cyber protection has saved millions of satisfied customers from becoming the next cybercrime victim and is exclusively made in the USA.
Learn more about PC Matic today!
[email protected]

Stop Responding to Threats.
Prevent Them.

Want to get monthly tips & tricks?

Subscribe to our newsletter to get cybersecurity tips & tricks and stay up to date with the constantly evolving world of cybersecurity.

Related Articles