The last few years have been great for attackers exploiting basic web application vulnerabilities. Usually, home and small business products from companies like Linksys, D-Link, and Ubiquity are known to be favorite targets. But over the last couple of years, enterprise products from companies like Ivanti, Fortigate, Sonicwall, and Citrix (among others) have become easy to exploit targets. The high value of the networks protected by these "solutions" has made them favorites for ransomware attackers.
Free data transfer out to internet when moving out of AWS
You told us one of the primary reasons to adopt Amazon Web Services (AWS) is the broad choice of services we offer, enabling you to innovate, build, deploy, and monitor your workloads. AWS has continuously expanded its services to support virtually any cloud workload. It now offers over 200 fully featured services for compute, storage, databases, networking, analytics, machine learning (ML) and artificial intelligence (AI), and many more. For example, Amazon Elastic Compute Cloud (Amazon EC2) offers over 750 generally available instances—more than any other major cloud provider—and you can choose from numerous relational, analytics, key-value, document, or graph databases.
We believe this choice must include the one to migrate your data to another cloud provider or on-premises. That’s why, starting today, we’re waiving data transfer out to the internet (DTO) charges when you want to move outside of AWS.
Over 90 percent of our customers already incur no data transfer expenses out of AWS because we provide 100 gigabytes per month free from AWS Regions to the internet. This includes traffic from Amazon EC2, Amazon Simple Storage Service (Amazon S3), Application Load Balancer, among others. In addition, we offer one terabyte of free data transfer out of Amazon CloudFront every month.
If you need more than 100 gigabytes of data transfer out per month while transitioning, you can contact AWS Support to ask for free DTO rates for the additional data. It’s necessary to go through support because you make hundreds of millions of data transfers each day, and we generally do not know if the data transferred out to the internet is a normal part of your business or a one-time transfer as part of a switch to another cloud provider or on premises.
We will review requests at the AWS account level. Once approved, we will provide credits for the data being migrated. We don’t require you to close your account or change your relationship with AWS in any way. You’re welcome to come back at any time. We will, of course, apply additional scrutiny if the same AWS account applies multiple times for free DTO.
We believe in customer choice, including the choice to move your data out of AWS. The waiver on data transfer out to the internet charges also follows the direction set by the European Data Act and is available to all AWS customers around the world and from any AWS Region.
Freedom of choice is not limited to data transfer rates. AWS also supports Fair Software Licensing Principles, which make it easy to use software with other IT providers of your choice. You can read this blog post for more details.
You can check the FAQ for more information, or you can contact AWS Customer Support to request credits for DTO while switching.
But I sincerely hope you will not.
Anthropic’s Claude 3 Sonnet foundation model is now available in Amazon Bedrock
In September 2023, we announced a strategic collaboration with Anthropic that brought together their respective technology and expertise in safer generative artificial intelligence (AI), to accelerate the development of Anthropic’s Claude foundation models (FMs) and make them widely accessible to AWS customers. You can get early access to unique features of Anthropic’s Claude model in Amazon Bedrock to reimagine user experiences, reinvent your businesses, and accelerate your generative AI journeys.
In November 2023, Amazon Bedrock provided access to Anthropic’s Claude 2.1, which delivers key capabilities to build generative AI for enterprises. Claude 2.1 includes a 200,000 token context window, reduced rates of hallucination, improved accuracy over long documents, system prompts, and a beta tool use feature for function calling and workflow orchestration.
Today, Anthropic announced Claude 3, a new family of state-of-the-art AI models that allows customers to choose the exact combination of intelligence, speed, and cost that suits their business needs. The three models in the family are Claude 3 Haiku, the fastest and most compact model for near-instant responsiveness, Claude 3 Sonnet, the ideal balanced model between skills and speed, and Claude 3 Opus, a most intelligent offering for the top-level performance on highly complex tasks.
We’re also announcing the availability of Anthropic’s Claude 3 Sonnet today in Amazon Bedrock, with Claude 3 Opus and Claude 3 Haiku coming soon. For the vast majority of workloads, Claude 3 Sonnet model is two times faster than Claude 2 and Claude 2.1, with increased steerability, and new image-to-text vision capabilities.
With Claude 3 Sonnet’s availability in Amazon Bedrock, you can build cost-effective generative AI applications for enterprises that need intelligence, reliability, and speed. You can now use Anthropic’s latest model, Claude 3 Sonnet, in the Amazon Bedrock console.
Introduction of Anthropic’s Claude 3 Sonnet
Here are some key highlights about the new Claude 3 Sonnet model in Amazon Bedrock:
2x faster speed – Claude 3 has made significant gains in speed. For the vast majority of workloads, it is two times faster with the same level of intelligence as Anthropic’s most performant models, Claude 2 and Claude 2.1. This combination of speed and skill makes Claude 3 Sonnet the clear choice for tasks that require intelligent tasks demanding rapid responses, like knowledge retrieval or sales automation. This includes use cases like content generation, classification, data extraction, and research and retrieval or accurate searching over knowledge bases.
Increased steerability – Increased steerability of AI systems gives users more control over outputs and delivers predictable, higher-quality outcomes. It is significantly less likely to refuse to answer questions that border on the system’s guardrails to prevent harmful outputs. Claude 3 Sonnet is easier to steer and better at following directions in popular structured output formats like JSON—making it simpler for developers to build enterprise and frontier applications. This is particularly important in enterprise use cases such as autonomous vehicles, health and medical diagnoses, and algorithmic decision-making in sensitive domains such as financial services.
Image-to-text vision capabilities – Claude 3 offers vision capabilities that can process images and return text outputs. It is extremely capable at analyzing and understanding charts, graphs, technical diagrams, reports, and other visual assets. Claude 3 Sonnet achieves comparable performance to other best-in-class models with image processing capabilities, while maintaining a significant speed advantage.
Expanded language support – Claude 3 has improved understanding and responding in languages other than English, such as French, Japanese, and Spanish. This expanded language coverage allows Claude 3 Sonnet to better serve multinational corporations requiring AI services across different geographies and languages, as well as businesses requiring nuanced translation services. Claude 3 Sonnet is also stronger at coding and mathematics, as evidenced by Anthropic’s scores in evaluations such as grade-school math problems (GSM8K and Hendrycks) and Codex (HumanEval).
To learn more about Claude 3 Sonnet’s features and capabilities, visit Anthropic’s Claude on Amazon Bedrock and Anthropic Claude model in the AWS documentation.
Get started with Anthropic’s Claude 3 Sonnet in Amazon Bedrock
If you are new to using Anthropic models, go to the Amazon Bedrock console and choose Model access on the bottom left pane. Request access separately for Claude 3 Sonnet.
To test Claude 3 Sonnet in the console, choose Text or Chat under Playgrounds in the left menu pane. Then choose Select model and select Anthropic as the category and Claude 3 Sonnet as the model.
To test more Claude prompt examples, choose Load examples. You can view and run Claude 3 specific examples, such as advanced Q&A with citations, crafting a design brief, and non-English content generation.
By choosing View API request, you can also access the model via code examples in the AWS Command Line Interface (AWS CLI) and AWS SDKs. Here is a sample of the AWS CLI command:
aws bedrock-runtime invoke-model
--model-id anthropic.claude-3-sonnet-v1:0
--body "{"prompt":"Write the test case for uploading the image to Amazon S3 bucketnHere are some test cases for uploading an image to an Amazon S3 bucket:nn1. **Successful Upload Test Case**:n - Test Data:n - Valid image file (e.g., .jpg, .png, .gif)n - Correct S3 bucket namen - Correct AWS credentials (access key and secret access key)n - Steps:n 1. Initialize the AWS S3 client with the correct credentials.n 2. Open the image file.n 3. Upload the image file to the specified S3 bucket.n 4. Verify that the upload was successful.n - Expected Result: The image should be successfully uploaded to the S3 bucket.nn2. **Invalid File Type Test Case**:n - Test Data:n - Invalid file type (e.g., .txt, .pdf, .docx)n - Correct S3 bucket namen - Correct AWS credentialsn - Steps:n 1. Initialize the AWS S3 client with the correct credentials.n 2. Open the invalid file type.n 3. Attempt to upload the file to the specified S3 bucket.n 4. Verify that an appropriate error or exception is raised.n - Expected Result: The upload should fail with an error or exception indicating an invalid file type.nnThese test cases cover various scenarios, including successful uploads, invalid file types, invalid bucket names, invalid AWS credentials, large file uploads, and concurrent uploads. By executing these test cases, you can ensure the reliability and robustness of your image upload functionality to Amazon S3.","max_tokens_to_sample":2000,"temperature":1,"top_k":250,"top_p":0.999,"stop_sequences":["nnHuman:"],"anthropic_version":"bedrock-2023-05-31"}"
--cli-binary-format raw-in-base64-out
--region us-east-1
invoke-model-output.txt
Upload your image if you want to test image-to-text vision capabilities. I uploaded the featured image of this blog post and received a detailed description of this image.
You can process images via API and return text outputs in English and multiple other languages.
{
"modelId": "anthropic.claude-3-sonnet-v1:0",
"contentType": "application/json",
"accept": "application/json",
"body": {
"anthropic_version": "bedrock-2023-05-31",
"max_tokens": 1000,
"system": "Please respond only in Spanish.",
"messages": {
"role": "user",
"content": [
{
"type": "image",
"source": {
"type": "base64",
"media_type": "image/jpeg",
"data": "iVBORw..."
}
},
{
"type": "text",
"text": "What's in this image?"
}
]
}
}
}
To celebrate this launch, Neerav Kingsland, Head of Global Accounts at Anthropic, talks about the power of the Anthropic and AWS partnership.
“Anthropic at its core is a research company that is trying to create the safest large language models in the world, and through Amazon Bedrock we have a change to take that technology, distribute it to users globally, and do this in an extremely safe and data-secure manner.”
Now available
Claude 3 Sonnet is available today in the US East (N. Virginia) and US West (Oregon) Regions; check the full Region list for future updates. The availability of Anthropic’s Claude 3 Opus and Haiku in Amazon Bedrock also will be coming soon.
You will be charged for model inference and customization with the On-Demand and Batch mode, which allows you to use FMs on a pay-as-you-go basis without having to make any time-based term commitments. With the Provisioned Throughput mode, you can purchase model units for a specific base or custom model. To learn more, see Amazon Bedrock Pricing.
Give Anthropic’s Claude 3 Sonnet a try in the Amazon Bedrock console today and send feedback to AWS re:Post for Amazon Bedrock or through your usual AWS Support contacts.
— Channy
Capturing DShield Packets with a LAN Tap [Guest Diary], (Sun, Mar 3rd)
[This is a Guest Diary by Christopher Von Reybyton, an ISC intern as part of the SANS.edu BACS program]
Introduction
During my internship with the Internet Storm Center I ran into an issue of wanting more information than the default logs would give me. I recalled one of the instructors saying "If we don’t have packets it didn’t happen". This inspired me to try to capture the packets hitting my honeypot. Initially I looked for ways to add logging capabilities to the DShield Honeypot [1]. I found very little information and the information I found I wasn’t able to get to work. Then I remembered that I owned a Great Scott Gadgets Throwing Star LAN Tap [2]. The Throwing Star LAN Tap is a passive Ethernet tap set between my router and the honeypot where I capture .pcap files with Wireshark.
Throwing Star LAN Tap
The Throwing Star LAN Tap can be purchased from greatscottgadgets.com and amazon.com. It has two pass-through ethernet adapters labeled J1 and J2. This allows the LAN Tap to sit between the router and an end device. There are two other ethernet adapters labeled J3 and J4. These adapters have capacitors connected to them and any packets are output to these monitoring ports. By connecting a device to these monitoring ports we are able to capture packets with apps such as Wireshark or tcpdump.
The following image is how the LAN Tap arrives unassembled.
Next is how the LAN Tap looks when assembled. Notice the placement of the capacitors.
Here is an image of the back of the LAN Tap after soldering.
Lastly here is a graphic showing the direction the packets travel to the monitoring ports.
Analysis
An example of how the packet information from Wireshark helps in attack observations can be found in the following screenshots.
First is output from the honeypot using the command "cat webhoneypot-2024-01-25.json | jq 'select(.sip == "80.94.95.226")'". This image shows output with a timestamp of 23:43:18. The attacker is trying to POST information to "/cgi-bin/luci"
The next screenshot shows the output from Wireshark using the filter "http.request.method == "GET" || http.request.method == "POST". At No. 5181 and timestamp 23:43:17 we see the POST request from IP 80.94.95.226
If we then follow the HTTP Stream of this conversation, we end up with the next screenshot. If you look at the end of the output, you will see the username and password used by the threat actor. This is information that is absent in the DShield logs and gives added insight into the attackers’ behavior.
Identified problems
The main problem I ran into was that my Throwing Star LAN Tap was a kit. I had to solder the Ethernet connectors and diodes to the circuit board. As I don’t have a lot of experience with this it took some trial and error to make sure the connections were soldered on correctly. My first attempt after soldering seemed to have worked as I was able to receive packets for many hours. The next day that I connected I only captured packets that came from the honeypot. I had to disconnect the LAN Tap and go over the connections again to make sure the soldering was correct. The third attempt resulted in capturing full packets.
It should be noted that the reason I only captured packets coming from the honeypot on the second day is that since the Dshield honeypot resets every day the LAN Tap needs to be re-connected everyday as well. And that the monitoring ports only monitor traffic in one direction.
Why It Matters
Packets are how everything is communicated through networks. It doesn’t matter what protocol is used or where the device is located. And while collecting logs is important, being able to see the history of the logs communication in the form of packets is the basis for good information security. Information that may be passed in clear text in the packets may not be picked up by DSHield logs.
Benefits
The main benefit of capturing packets is that you have visibility into the communication going to and from the DShield honeypot. It’s nice seeing the SSH and HTTP logs that DShield collects, but being able to go through the packets gives a much deeper insight into what attacks are happening and how they are happening. For me parsing logs felt like only seeing part of the conversation. Being able to see the packets now makes parsing the logs more complete and easier to interpret.
Conclusion
Capturing packets between the DShield honeypot and an externally facing router is a powerful tool to help with attack observations and identifying threat actors’ behavior for accurate documentation. In the future I would love to see packet capture capabilities added to the DShield, but until then using a LAN Tap can give us vital information to increase the scope of our attack documentation.
[1] https://isc.sans.edu/tools/honeypot/
[2] https://greatscottgadgets.com/throwingstar/
[3] https://www.sans.edu/cyber-security-programs/bachelors-degree/
———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Scanning for Confluence CVE-2022-26134, (Fri, Mar 1st)
I have added daemonlogger [1] for packet capture and Arkime [2] to visualize the packets captured by my DShield sensor and started noticing this activity that so far only gone to TCP/8090 which is URL and base64 encoded. The DShield sensor started capturing this activity on the 12 February 2024 inbound from various IPs from various locations.
[Guest Diary] Dissecting DarkGate: Modular Malware Delivery and Persistence as a Service., (Thu, Feb 29th)
Takes Downs and the Rest of Us: Do they matter?, (Tue, Feb 27th)
Last week, the US Department of Justice published a press release entitled "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)" [1]. The disruption targeted a botnet built using the "Moobot" malware. According to the press release, this particular botnet focused on routers made by Ubiquity, using well-known default credentials.
AWS Weekly Roundup — .Net Runtime for AWS Lambda, PartyRock Hackathon, and more — February 26, 2024
The Community AWS re:invent 2023 re:caps continue! Recently, I was invited to participate in one of these events hosted by the AWS User Group Kenya, and was able to learn and spend time with this amazing community.
Last week’s launches
Here are some launches that got my attention during the previous week.
.NET 8 runtime for AWS Lambda – AWS Lambda now supports .NET 8 as both a managed runtime and container base image. This support provides you with .NET 8 features that include API enhancements, improved Native Ahead of Time (Native AOT) support, and improved performance. .NET 8 supports C# 12, F# 8, and PowerShell 7.4. You can develop Lambda functions in .NET 8 using the AWS Toolkit for Visual Studio, the AWS Extensions for .NET CLI, AWS Serverless Application Model (AWS SAM), AWS CDK, and other infrastructure as code tools.
For a full list of AWS announcements, be sure to keep an eye on the What’s New at AWS page.
Other AWS news
Here are some additional projects, programs, and news items that you might find interesting:
Earlier this month, I used this image to call attention to the PartyRock Hackathon that’s currently in progress. The deadline to join the hackathon is fast approaching so be sure to signup before time runs out.
Amazon API Gateway – Amazon API Gateway processed over 100 trillion API requests in 2023, and we continue to see growing demand for API-driven applications. API Gateway is a fully-managed service that enables you to create, publish, maintain, monitor, and secure APIs at any scale. Customers that onboarded large workloads on API Gateway in 2023 told us they chose the service for its availability, security, and serverless architecture. Those in regulated industries value API Gateway’s private endpoints, which are isolated from the public internet and only accessible from your Amazon Virtual Private Cloud (VPC).
AWS open source news and updates – My colleague Ricardo writes this weekly open source newsletter in which he highlights new open source projects, tools, and demos from the AWS Community.
Upcoming AWS events
Season 3 of the Build on Generative AI Twitch show has kicked off. Join every Monday on Twitch at 9AM PST/Noon EST/18h CET to learn among others, how you can build generative AI-enabled applications.
If you’re in the EMEA timezone, there is still time to register and watch the AWS Innovate Online Generative AI & Data Edition taking place on February 29. Innovate Online events are free, online, and designed to inspire and educate you about building on AWS. Whether you’re in the Americas, Asia Pacific & Japan, or EMEA region, learn here about future AWS Innovate Online events happening in your timezone.
AWS Community re:Invent re:Caps – Join a Community re:Cap event organized by volunteers from AWS User Groups and AWS Cloud Clubs around the world to learn about the latest announcements from AWS re:Invent.
You can browse all upcoming in-person and virtual events here.
That’s all for this week. Check back next Monday for another Weekly Roundup!
– Veliswa
This post is part of our Weekly Roundup series. Check back each week for a quick roundup of interesting news and announcements from AWS.
New AWS Region in Mexico is in the works
Today, I am happy to announce that we are working on an AWS Region in Mexico. This AWS Mexico (Central) Region will be the second Region in Latin America joining the AWS South America (São Paulo) Region and will give AWS customers the ability to run workloads and store data that must remain in-country.
Mexico in the works
The Region will include three Availability Zones, each one physically independent of the others in the Region yet far enough apart to minimize the risk that an event in one Availability Zone will have impact on business continuity. The Availability Zones will be connected to each other by high-bandwidth, low-latency network connections over dedicated, fully redundant fiber.
With this announcement, AWS now has five new Regions in the works (Germany, Malaysia, Mexico, New Zealand, and Thailand) and 15 upcoming new Availability Zones.
AWS investment in Mexico
The upcoming AWS Mexico Region is the latest in ongoing investments by AWS in Mexico to provide customers with advanced and secure cloud technologies. Since 2020, AWS has launched seven Amazon CloudFront edge locations in Mexico. Amazon CloudFront is a highly secure and programmable content delivery network (CDN) that accelerates the delivery of data, videos, applications, and APIs to users worldwide with low latency and high transfer speeds.
In 2020, AWS launched AWS Outposts in Mexico. AWS Outposts is a family of fully managed solutions delivering AWS infrastructure and services to virtually any on-premises or edge location for a truly consistent hybrid experience. AWS expanded its infrastructure footprint in Mexico again in 2023 with the launch of AWS Local Zones in Queretaro. AWS Local Zones are a type of AWS infrastructure deployment that places compute, storage, database, and other select services closer to large population, industry, and IT centers, enabling customers to deliver applications that require single-digit millisecond latency to end users. In 2023, AWS established an AWS Direct Connect location in Queretaro, allowing customers to establish private connectivity between AWS and their data center, office, or colocation environment.
Here is a glimpse into our customers in Mexico and the exciting, innovative work they’re undertaking:
Banco Santander Mexico is one of the leading financial groups in the country, focused on commercial banking and securities financing, serving more than 20.5 million customers. “AWS has been a strategic partner for our digital transformation,” said Juan Pablo Chiappari, head of IT Infrastructure for North America. “Thanks to their wide range of services, we have been able to innovate faster, improve our customer experience and reduce our operating costs.”
SkyAlert is an innovative technology company that quickly alerts millions of people living in earthquake-prone areas, promoting a culture of prevention against natural disasters. In order to provide customers—both businesses and individuals—with the right tools to protect themselves during earthquakes, SkyAlert migrated its infrastructure to AWS. After implementing its Internet of Things (IoT) solution to run on AWS and its efficient alert service, SkyAlert scales quickly and can send millions of messages in a few seconds, helping to save lives in the event of earthquakes.
Kueski is an online lender for the middle class of Mexico and Latin America. The company uses big data and advanced analytics to approve and deliver loans in a matter of minutes. The company has become the fastest-growing platform of its kind in the region and has already granted thousands of loans. They were born with AWS.
Bolsa Institucional de Valores (BIVA) is a stock exchange based in Mexico, backed by Nasdaq. BIVA provides local and global investors with cutting-edge technology for trading and market solutions and companies with listing and maintenance services. As part of its vision of innovation, BIVA started its journey to the cloud in 2023 by migrating its disaster recovery site, including its trading and market surveillance systems, to AWS, using edge compute capabilities available in both the AWS Local Zones in Queretaro, Mexico, to achieve their low latency needs.
Stay Tuned
The AWS Region in Mexico will open in early 2025. As usual, subscribe to this blog so that you will be among the first to know when the new Region is open!
To learn more about AWS Global Cloud Infrastructure, see the Global Infrastructure page.
— Irshad
#StopRansomware: Phobos Ransomware
SUMMARY
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.[1],[2]
The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of indicators of compromise (IOCs), see:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Overview
According to open source reporting, Phobos ransomware is likely connected to numerous variants (including Elking, Eight, Devos, Backmydata, and Faust ransomware) due to similar TTPs observed in Phobos intrusions. Phobos ransomware operates in conjunction with various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound. These tools are all widely accessible and easy to use in various operating environments, making it (and associated variants) a popular choice for many threat actors.[3],[4]
Reconnaissance and Initial Access
Phobos actors typically gain initial access to vulnerable networks by leveraging phishing campaigns [T1598] to drop hidden payloads or using internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports [T1595.001] or by leveraging RDP on Microsoft Windows environments.[5],[6]
Once they discover an exposed RDP service, the actors use open source brute force tools to gain access [T1110]. If Phobos actors gain successful RDP authentication [T1133][T1078] in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies [T1593]. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network [T1219].[7]
Alternatively, threat actors send spoofed email attachments [T1566.001] that are embedded with hidden payloads [T1204.002] such as SmokeLoader, a backdoor trojan that is often used in conjunction with Phobos. After SmokeLoader’s hidden payload is downloaded onto the victim’s system, threat actors use the malware’s functionality to download the Phobos payload and exfiltrate data from the compromised system.
Execution and Privilege Escalation
Phobos actors run executables like 1saas.exe
or cmd.exe
to deploy additional Phobos payloads that have elevated privileges enabled [TA0004]. Additionally, Phobos actors can use the previous commands to perform various windows shell functions. The Windows command shell enables threat actors to control various aspects of a system, with multiple permission levels required for different subsets of commands [T1059.003][T1105].[8]
Smokeloader Deployment
Phobos operations feature a standard three phase process to decrypt a payload that allows the threat actors to deploy additional destructive malware.[9]
For the first phase, Smokeloader manipulates either VirtualAlloc
or VirtualProtect API
functions—which opens an entry point, enabling code to be injected into running processes and allowing the malware to evade network defense tools [T1055.002]. In the second phase, a stealth process is used to obfuscate command and control (C2) activity by producing requests to legitimate websites [T1001.003].[10]
Within this phase, the shellcode also sends a call from the entry point to a memory container [T1055.004] and prepares a portable executable for deployment in the final stage [T1027.002][T1105][T1140].
Finally, once Smokeloader reaches its third stage, it unpacks a program-erase cycle from stored memory, which is then sent to be extracted from a SHA 256 hash as a payload.[7] Following successful payload decryption, the threat actors can begin downloading additional malware.
Additional Phobos Defense Evasion Capabilities
Phobos ransomware actors have been observed bypassing organizational network defense protocols by modifying system firewall configurations using commands like netsh firewall set opmode mode=disable
[T1562.004]. Additionally, Phobos actors can evade detection by using the following tools: Universal Virus Sniffer, Process Hacker, and PowerTool [T1562].
Persistence and Privilege Escalation
According to open source reporting, Phobos ransomware uses commands such as Exec.exe
or the bcdedit[.]exe
control mechanism. Phobos has also been observed using Windows Startup folders and Run Registry Keys such as C:/UsersAdminAppDataLocaldirectory
[T1490][T1547.001] to maintain persistence within compromised environments.[5]
Additionally, Phobos actors have been observed using built-in Windows API functions [T1106] to steal tokens [T1134.001], bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege
process [T1134.002]. Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access [T1003.005].
Discovery and Credential Access
Phobos actors additionally use open source tools [T1588.002] such as Bloodhound and Sharphound to enumerate the active directory [T1087.002]. Mimikatz and NirSoft, as well as Remote Desktop Passview to export browser client credentials [T1003.001][T1555.003], have also been used. Furthermore, Phobos ransomware is able to enumerate connected storage devices [T1082], running processes [T1057], and encrypt user files [T1083].
Exfiltration
Phobos actors have been observed using WinSCP
and Mega.io
for file exfiltration.[11] They use WinSCP
to connect directly from a victim network to an FTP server [T1071.002] they control [TA0010]. Phobos actors install Mega.io
[T1048] and use it to export victim files directly to a cloud storage provider [T1567.002]. Data is typically archived as either a .rar
or .zip
file [T1560] to be later exfiltrated. They target legal documentation, financial records, technical documents (including network architecture), and databases for commonly used password management software [T1555.005].
Impact
After the exfiltration phase, Phobos actors then hunt for backups. They use vssadmin.exe
and Windows Management Instrumentation command-line utility (WMIC) to discover and delete volume shadow copies in Windows environments. This prevents victims from recovering files after encryption has taken place [T1047][T1490].
Phobos.exe
contains functionality to encrypt all connected logical drives on the target host [T1486]. Each Phobos ransomware executable has unique build identifiers (IDs), affiliate IDs, as well as a unique ransom note which is embedded in the executable. After the ransom note has populated on infected workstations, Phobos ransomware continues to search for and encrypt additional files.
Most extortion [T1657] occurs via email; however, some affiliate groups have used voice calls to contact victims. In some cases, Phobos actors have used onion sites to list victims and host stolen victim data. Phobos actors use various instant messaging applications such as ICQ, Jabber, and QQ to communicate [T1585]. See Figure 2 for a list of email providers used by the following Phobos affiliates: Devos, Eight, Elbie, Eking, and Faust.[6]
INDICATORS OF COMPROMISE (IOCs)
See Table 1 through 6 for IOCs obtained from CISA and the FBI investigations from September through November 2023.
Associated Phobos Domains |
---|
adstat477d[.]xyz |
demstat577d[.]xyz [12] |
serverxlogs21[.]xyz |
Shell Commands |
---|
vssadmin delete shadows /all /quiet [T1490] |
netsh advfirewall set currentprofile state off |
wmic shadowcopy delete |
netsh firewall set opmode mode=disable [T1562.004] |
bcdedit /set {default} bootstatuspolicy ignoreallfailures [T1547.001] |
bcdedit /set {default} recoveryenabled no [T1490] |
wbadmin delete catalog -quiet |
mshta C:%USERPROFILE%Desktopinfo.hta [T1218.005] |
mshta C:%PUBLIC%Desktopinfo.hta |
mshta C:info.hta |
The commands above are observed during the execution of a Phobos encryption executable. A Phobos encryption executable spawns a cmd.exe
process, which then executes the commands listed in Table 1 with their respective Windows system executables. When the commands above are executed on a Windows system, volume shadow copies are deleted and Windows Firewall is disabled. Additionally, the system’s boot status policy is set to boot even when there are errors during the boot process, and automatic recovery options, like Windows Recovery Environment (WinRE), are disabled for the given boot entry. The system’s backup catalog is also deleted. Finally, the Phobos ransom note is displayed to the end user using mshta.exe
.
Registry Keys |
---|
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun<Phobos exe name> |
C:/UsersAdminAppDataLocaldirectory |
Email Addresses | |
AlbetPattisson1981@protonmail[.]com |
henryk@onionmail[.]org |
atomicday@tuta[.]io |
info@fobos[.]one |
axdus@tuta[.]io |
it.issues.solving@outlook[.]com |
barenuckles@tutanota[.]com |
JohnWilliams1887@gmx[.]com |
Bernard.bunyan@aol[.]com |
jonson_eight@gmx[.]us |
bill.g@gmx[.]com |
joshuabernandead@gmx[.]com |
bill.g@msgsafe[.]io |
LettoIntago@onionmail[.]com |
bill.g@onionmail[.]org |
Luiza.li@tutanota[.]com |
bill.gTeam@gmx[.]com |
MatheusCosta0194@gmx[.]com |
blair_lockyer@aol[.]com |
mccreight.ellery@tutanota[.]com |
CarlJohnson1948@gmx[.]com |
megaport@tuta[.]io |
cashonlycash@gmx[.]com |
miadowson@tuta[.]io |
chocolate_muffin@tutanota[.]com |
MichaelWayne1973@tutanota[.]com |
claredrinkall@aol[.]com |
normanbaker1929@gmx[.]com |
clausmeyer070@cock[.]li |
nud_satanakia@keemail[.]me |
colexpro@keemail[.]me |
please@countermail[.]com |
cox.barthel@aol[.]com |
precorpman@onionmail[.]org |
crashonlycash@gmx[.]com |
recovery2021@inboxhub[.]net |
everymoment@tuta[.]io |
recovery2021@onionmail[.]org |
expertbox@tuta[.]io |
SamuelWhite1821@tutanota[.]com |
fastway@tuta[.]io |
SaraConor@gmx[.]com |
fquatela@techie[.]com |
secdatltd@gmx[.]com |
fredmoneco@tutanota[.]com |
skymix@tuta[.]io |
getdata@gmx[.]com |
sory@countermail[.]com |
greenbookBTC@gmx[.]com |
spacegroup@tuta[.]io |
greenbookBTC@protonmail[.]com |
stafordpalin@protonmail[.]com |
helperfiles@gmx[.]com |
starcomp@keemail[.]me |
helpermail@onionmail[.]org |
xdone@tutamail[.]com |
helpfiles@onionmail[.]org |
xgen@tuta[.]io |
helpfiles102030@inboxhub[.]net |
xspacegroup@protonmail[.]com |
helpforyou@gmx[.]com |
zgen@tuta[.]io |
helpforyou@onionmail[.]org |
zodiacx@tuta[.]io |
Telegram Username |
---|
@phobos_support |
Wickr Address |
---|
|
Disclaimer: Organizations are encouraged to investigate the use of the IOCs in Table 7 for related signs of compromise prior to performing remediation actions.
Associated IP Address | File Type | File Name | SHA 256 Hash |
---|---|---|---|
194.165.16[.]4 (October 2023) |
Win32.exe |
Ahpdate.exe [13] |
0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f |
45.9.74[.]14 (December 2023) 147.78.47[.]224 (December 2023) |
Executable and Linkable Format (ELF) [14] |
1570442295 (Trojan Linux Mirai) |
7451be9b65b956ee667081e1141531514b1ec348e7081b5a9cd1308a98eec8f0 |
185.202.0[.]111 (September 2023) |
Win32.exe [15] |
cobaltstrike_shellcode[.]exe (C2 activity) |
|
185.202.0[.]111 (December 2023) |
.txt [16] |
f1425cff3d28afe5245459afa6d7985081bc6a62f86dce64c63daeb2136d7d2c.bin (Trojan) |
Disclaimer: Organizations are encouraged to investigate the use of the file hashes in Tables 8 and 9 for related signs of compromise prior to performing remediation actions.
Phobos Ransomware SHA 256 Malicious Trojan Executable File Hashes |
---|
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c |
9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c |
482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52 |
c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763 |
Phobos Ransomware SHA 256 File Hashes |
58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6 |
f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed |
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c |
32a674b59c3f9a45efde48368b4de7e0e76c19e06b2f18afb6638d1a080b2eb3 |
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66 |
fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6 |
a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2 |
MITRE ATT&CK TECHNIQUES
See Table 10 through 22 for all threat actor tactics and techniques referenced in this advisory.
Technique Title | ID | Use |
---|---|---|
Search Open Websites/Domains |
Phobos actors perform open source research to find information about victims that can be used during targeting to create a victim profile. |
|
Scanning IP Blocks |
Phobos actors used IP scanning tools to include Angry IP Scanner to search for vulnerable RDP ports. |
|
Phishing for Information |
Phobos actors use phishing campaigns to social engineer information from users and gain access to vulnerable RDP ports. |
Technique Title | ID | Use |
---|---|---|
Establish Accounts |
Phobos actors establish accounts to communicate. |
|
Obtain Capabilities: Tool |
Phobos actors used open source tools in their attack. |
Technique Title | ID | Use |
---|---|---|
Valid Accounts |
Following successful RDP authentication, Phobos actors search for IP addresses and pair them with their associated computer to create a victim profile. |
|
External Remote Services |
Phobos actors may leverage external-facing remote services to initially access and/or persist within a network. |
|
Phishing: Spearphishing Attachment |
Phobos actors used a spoofed email attachment to execute attack. |
Technique Title | ID | Use |
---|---|---|
Windows Management Instrumentation |
Phobos actors used Windows Management Instrumentation command-line utility (WMIC) to prevent victims from recovering files. |
|
Windows Command Shell |
Phobos actors can use the previous commands to perform commands with windows shell functions. |
|
Native API |
Phobos actors used open source tools to enumerate the active directory. |
|
Malicious File |
Phobos actors attached a malicious email attachment to deliver ransomware. |
Technique Title | ID | Use |
---|---|---|
Registry Run Keys / Startup Folder |
Phobos ransomware operates using the |
Technique Title | ID | Use |
---|---|---|
Privilege Escalation |
Phobos actors use run commands like |
|
Portable Executable Injection |
Phobos actors use Smokeloader to inject code into running processes to identify an entry point through enabling a |
|
Asynchronous Procedure Call |
During phase two of execution, Phobos ransomware sends a call back from an identified entry point. |
|
Access Token Manipulation: Token Impersonation/Theft |
Phobos actors can use Windows API functions to steal tokens. |
|
Create Process with Token |
Phobos actors used Windows API functions to steal tokens, bypass access controls and create new processes. |
Technique Title | ID | Use |
---|---|---|
Software Packing |
Phobos actors deployed a portable executable (PE) to conceal code. |
|
Embedded Payloads |
Phobos actors embedded the ransomware as a hidden payload by using Smokeloader. |
|
Deobfuscate/Decode Files or Information |
During phase two of execution, Phobos actors’ malware stores and decrypts information. |
|
System Binary Proxy Execution: Mshta |
Phobos actors used Mshta to execute malicious files. |
|
Impair Defenses |
Phobos actors can use Universal Virus Sniffer, Process Hacker, and PowerTool to evade detection. |
|
Disable or Modify System Firewall |
Phobos ransomware has been observed bypassing organizational network defense protocols through modifying system firewall configurations. |
Technique Title | ID | Use |
---|---|---|
OS Credential Dumping: LSASS Memory |
Phobos actors used Mimikatz to export credentials. |
|
OS Credential Dumping: Cached Domain Credentials |
Phobos actors use cached domain credentials to authenticate as the domain administrator in the event a domain controller is unavailable. |
|
Brute Force |
Phobos actors may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. |
|
Credentials from Password Stores |
Phobos actors may search for common password storage locations to obtain user credentials. |
|
Credentials from Password Stores: Credentials from Web Browsers |
Phobos actors use Nirsoft or Passview to export client credentials from web browsers. Phobos actors search for stored credentials in browser clients once they gain initial network access. |
|
Credentials from Password Stores: Password Managers |
Phobos actors targeted victim’s databases for password management software. |
Technique Title | ID | Use |
---|---|---|
Process Discovery |
Phobos ransomware is able to run processes. |
|
System Information Discovery |
Phobos ransomware is able to enumerate connected storage devices. |
|
File and Directory Discovery |
Phobos ransomware can encrypt user files. |
|
Domain Account |
Phobos threat actor used Bloodhound and Sharphound to enumerate the active directory. |
Technique Title | ID | Use |
---|---|---|
Archive Collected Data |
Phobos threat actors archive data as either a |
Technique Title | ID | Use |
---|---|---|
Data Obfuscation: Protocol Impersonation |
Phobos actors used a stealth process to obfuscate C2 activity. |
|
File Transfer Protocols |
Phobos threat actors used |
|
Ingress Tool Transfer |
Phobos ransomware extracts its final payload from the hashed file. |
|
Remote Access Software |
Phobos threat actors used remote access tools to establish a remote connection within victim’s network. |
Technique Title | ID | Use |
---|---|---|
Exfiltration |
Phobos threat actors may use exfiltration techniques to steal data from your network. |
|
Exfiltration Over Alternative Protocol |
Phobos threat actors use software to export files to a cloud. |
|
Exfiltration to Cloud Storage |
Phobos threat actors use |
Technique Title | ID | Use |
---|---|---|
Data Encrypted for Impact |
Phobos threat actors use the |
|
Inhibit System Recovery |
Phobos threat actors may delete or remove backups to include volume shadow copies from Windows environments to prevent victim data recovery response efforts. |
|
Financial Theft |
Phobos threat actor’s extort victims for financial gain. |
MITIGATIONS
Secure by Design and Default Mitigations:
These mitigations apply to all critical infrastructure organizations and network defenders. The FBI, CISA, and MS-ISAC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices limiting the impact of ransomware techniques, thus, strengthening the secure posture for their customers.
For more information on secure by design, see CISA’s Secure by Design webpage and joint guide.
The FBI, CISA, and MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture against actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
- Secure remote access software by applying recommendations from the joint Guide to Securing Remote Access Software.
- Implement application controls to manage and control execution of software, including allowlisting remote access programs.
- Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlist solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
- Implement log collection best practices and use intrusion detection systems to defend against threat actors manipulating firewall configurations through early detection [CPG 2.T].
- Implement EDR solutions to disrupt threat actor memory allocation techniques.
- Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
- Audit the network for systems using RDP.
- Close unused RDP ports.
- Enforce account lockouts after a specified number of attempts.
- Apply phishing-resistant multifactor authentication (MFA).
- Log RDP login attempts.
- Disable command-line and scripting activities and permissions [CPG 2.N].
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E].
- Reduce the threat of credential compromise via the following:
- Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
- Refrain from storing plaintext credentials in scripts.
- Implement time-based access for accounts at the admin level and higher [CPG 2.A, 2.E].
In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud).
- Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R].
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
- Use longer passwords consisting of at least 15 characters and no more than 64 characters in length [CPG 2.B].
- Store passwords in hashed format using industry-recognized password managers.
- Add password user “salts” to shared login credentials.
- Avoid reusing passwords [CPG 2.C].
- Implement multiple failed login attempt account lockouts [CPG 2.G].
- Disable password “hints.”
- Refrain from requiring password changes more frequently than once per year.
Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher. - Require administrator credentials to install software.
- Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H].
- Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
- Install, regularly update, and enable real time detection for antivirus software on all hosts.
- Disable unused ports and protocols [CPG 2.V].
- Consider adding an email banner to emails received from outside your organization [CPG 2.M].
- Disable hyperlinks in received emails.
- Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
- Select an ATT&CK technique described in this advisory (see Tables 4-16).
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze your detection and prevention technologies’ performance.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI, CISA, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
- Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
- Resource to mitigate a ransomware attack: CISA, NSA, FBI, and Multi-State Information Sharing and Analysis Center’s (MS-ISAC) Joint #StopRansomware Guide.
- SLTT organizations are encouraged to implement MS-ISAC’s Ransomware Defense-in-Depth guidance.
- No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.
- CISA: Known Exploited Vulnerabilities Catalog
- CISA, MITRE: Best Practices for MITRE ATT&CK Mapping
- CISA: Decider Tool
- CISA: Cross-Sector Cybersecurity Performance Goals
- CISA: Secure by Design
- CISA: Implementing Phishing-Resistant MFA
- CISA: Guide to Securing Remote Access Software
REFERENCES
[1] Privacy Affairs: “Moral” 8Base Ransomware Targets 2 New Victims
[2] VMware: 8base ransomware: A Heavy Hitting Player
[3] Infosecurity Magazine: Phobos Ransomware Family Expands With New FAUST Variant
[4] The Record: Hospitals offline across Romania following ransomware attack on IT platform
[5] Comparitech: What is Phobos Ransomware & How to Protect Against It?
[6] Cisco Talos: Understanding the Phobos affiliate structure and activity
[7] Cisco Talos: A deep dive into Phobos ransomware, recently deployed by 8Base group
[8] Malwarebytes Labs: A deep dive into Phobos ransomware
[9] Any Run: Smokeloader
[10] Malpedia: Smokeloader
[11] Truesec: A case of the FAUST Ransomware
[12] VirusTotal: Phobos Domain #1
[13] VirusTotal: Phobos executable: Ahpdate.exe
[14] VirusTotal: Phobos GUI extension: ELF File
[15] VirusTotal: Phobos IP address: 185.202.0[.]111
[16] VirusTotal: Phobos GUI extension: Binary File
[17] Cisco Talos GitHub: IOCs/2023/11/deep-dive-into-phobos-ransomware.txt at main
REPORTING
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom-note, communications with Phobos actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details requested include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host and network-based indicators.
The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3), a local FBI Field Office, or to CISA at report@cisa.gov or (888) 282-0870.
DISCLAIMER
The FBI does not conduct its investigative activities or base attribution solely on activities protected by the First Amendment. Your company has no obligation to respond or provide information back to the FBI in response to this engagement. If, after reviewing the information, your company decides to provide referral information to the FBI, it must do so in a manner consistent with federal law. The FBI does not request or expect your company to take any particular action regarding this information other than holding it in confidence due to its sensitive nature.
The information in this report is being provided “as is” for informational purposes only. The FBI and CISA not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, and the MS-ISAC.
ACKNOWLEDGEMENTS
The California Joint Regional Intelligence Center (JRIC, CA) and Israel National Cyber Directorate (INCD) contributed to this CSA.
VERSION HISTORY
February 29, 2024: Initial version.