CISA warns state, local government about Phobos ransomware | StateScoop<\/title> <meta name=\"description\" content=\"Phobos is "pretty standard" ransomware, one expert said, but the Cybersecurity and Infrastructure Security Agency warns that it's on the rise in state and local government.\"> <link rel=\"canonical\" href=\"https:\/\/statescoop.com\/cisa-phobos-ransomware-state-local-government\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA warns state, local government about Phobos ransomware | StateScoop\"> <meta property=\"og:description\" content=\"Phobos is "pretty standard" ransomware, one expert said, but the Cybersecurity and Infrastructure Security Agency warns that it's on the rise in state and local government.\"> <meta property=\"og:url\" content=\"https:\/\/statescoop.com\/cisa-phobos-ransomware-state-local-government\/\"> <meta property=\"og:site_name\" content=\"StateScoop\"> <meta property=\"article:published_time\" content=\"2024-03-01T21:23:48+00:00\"> <meta property=\"article:modified_time\" content=\"2024-03-01T21:26:52+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-warns-state-local-government-about-phobos-ransomware-1.png\"> <meta property=\"og:image:width\" content=\"2000\"> <meta property=\"og:image:height\" content=\"1036\"> <meta property=\"og:image:type\" content=\"image\/png\"> <meta name=\"author\" content=\"sfoxsowell\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"StateScoop \u00bb Feed\" href=\"https:\/\/statescoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"StateScoop \u00bb Comments Feed\" href=\"https:\/\/statescoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/statescoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1706643139g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/statescoop.com\/_static\/??\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css,\/wp-content\/plugins\/embedpress\/Gutenberg\/dist\/blocks.style.build.css?m=1708535870\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/statescoop.com\/_static\/??\/wp-content\/plugins\/embedpress\/assets\/css\/embedpress.css,\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1709325119\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\">\n<link rel=\"stylesheet\" id=\"all-css-10\" href=\"https:\/\/statescoop.com\/_static\/??\/wp-includes\/css\/dashicons.min.css,\/wp-content\/plugins\/embedpress\/assets\/css\/plyr.css?m=1706739310\" type=\"text\/css\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/statescoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/statescoop.com\/wp-json\/wp\/v2\/posts\/62483\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/statescoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.3\">\n<link rel=\"shortlink\" href=\"https:\/\/statescoop.com\/?p=62483\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/statescoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fstatescoop.com%2Fcisa-phobos-ransomware-state-local-government%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/statescoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fstatescoop.com%2Fcisa-phobos-ransomware-state-local-government%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/cropped-ss_favicon.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/cropped-ss_favicon.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/cropped-ss_favicon.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/cropped-ss_favicon.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-62483 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/statescoop.com\/cisa-phobos-ransomware-state-local-government\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.703389830508\">\n<div class=\"single-article__header-content\" readability=\"31.25\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/statescoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> Phobos is “pretty standard” ransomware, one expert said, but the Cybersecurity and Infrastructure Security Agency warns that it’s on the rise in state and local government. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"332\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-warns-state-local-government-about-phobos-ransomware.png?resize=640%2C332&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-warns-state-local-government-about-phobos-ransomware-1.png 2000w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-warns-state-local-government-about-phobos-ransomware-1.png?resize=300,155 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-warns-state-local-government-about-phobos-ransomware-1.png?resize=768,398 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-warns-state-local-government-about-phobos-ransomware-1.png?resize=1024,530 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-warns-state-local-government-about-phobos-ransomware-1.png?resize=1536,796 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-warns-state-local-government-about-phobos-ransomware-1.png?resize=600,311 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-warns-state-local-government-about-phobos-ransomware-1.png?resize=1200,622 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-warns-state-local-government-about-phobos-ransomware-1.png?resize=1500,777 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"60.500662502366\"><body readability=\"121.74711437566\"><\/p>\n<p>The <a href=\"https:\/\/www.cisa.gov\/\">Cybersecurity and Infrastructure Security Agency<\/a> on Thursday released an <a href=\"https:\/\/www.ic3.gov\/Media\/News\/2024\/240229.pdf\">advisory<\/a> warning of known cyberattack techniques and indicators of compromise to help public sector organizations better protect themselves against ransomware, specifically from the threat actor Phobos.<\/p>\n<p>The advisory says that since 2019, Phobos, a ransomware-as-a service provider, has targeted the IT systems of municipal and county governments, emergency services, education institutions, public health care systems and other critical infrastructure. Ransomware-as-a-service, or RaaS, allows those with minimal technical expertise to launch ransomware attacks by using pre-developed tools.<\/p>\n<p>Randy Rose, vice president of security operations and intelligence at the <a href=\"https:\/\/www.cisecurity.org\/\">Center for Internet Security<\/a>, an Upstate New York nonprofit that runs the federally funded Multi-State Information Sharing and Analysis Center, said he\u2019s seen a growing frequency of RaaS cyberattacks across the public sector in recent years.<\/p>\n<p>\u201cPhobos is pretty standard ransomware,\u201d Rose told StateScoop. \u201cWe do see them across the [state, local, tribal and territorial] sector, which is one of the reasons why we pay a lot of attention to them.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Though <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/CISA%20PSAP%20Ransomware%20Poster%20Fact%20Sheet_20210204_FINAL%20508.pdf\">CISA<\/a> and other federal agencies advise against fulfilling ransomware payments, as they do not guarantee that data obtained by hackers will no longer be compromised or lead to a restoration of services and data, CISA says Phobos has extracted several million U.S. dollars in ransomware payments from its victims.<\/p>\n<p>According to a <a href=\"https:\/\/www.hhs.gov\/sites\/default\/files\/overview-phobos-ransomware.pdf\">2021 report<\/a> by the U.S. Department of Health & Human Services, the average Phobos ransomware payment is approximately $38,100.<\/p>\n<p>\u201cPhobos ransomware incidents impacting state, local, tribal, and territorial governments have been regularly reported to the [Multi-State Information Sharing and Analysis Center],\u201d the advisory states, though it\u2019s unclear how many ransomware incidents Phobos can claim.<\/p>\n<p>In 2023, <a href=\"https:\/\/securityaffairs.com\/154383\/malware\/8base-ransomware-phobos-ransomware.html\">Security Affairs reported<\/a> that \u201cexperts attributed 67 attacks to the group in May 2023,\u201d with most of its victims located in the U.S. or Brazil.<\/p>\n<h3 class=\"wp-block-heading\" id=\"h-ransomware-techniques\">Ransomware techniques<\/h3>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The CISA advisory says Phobos ransomware uses two main techniques to gain system access. One is phishing, the practice of stealing account login details by tricking people into opening malicious email attachments. The other is gaining direct access using the Remote Desktop Protocol, a Microsoft network tool that allows users to control computers remotely.<\/p>\n<p>Rose said that phishing campaigns, like the kind Phobos ransomware uses, are by far the most common and effective tactic used in cyberattacks, not because they\u2019re the easiest to deploy, but because they take advantage of human weaknesses.<\/p>\n<p>\u201cPhishing is a social engineering attack, right? We like to click on things [because] we\u2019re curious people, we\u2019re curious creatures. And we\u2019re also easily manipulated,\u201d Rose said. \u201cIt\u2019s why magicians still fool people and mentalists and illusionists and people who talk to the dead, like we want to believe these kinds of things.\u201d<\/p>\n<p>He also said phishing emails are getting harder and harder to detect, in part, due to generative artificial intelligence.<\/p>\n<p>\u201cGenerative AI can help you write a phishing email that\u2019s extremely convincing,\u201d Rose said. \u201cI don\u2019t think we\u2019re going to see the end of phishing being the intrusion vector of choice for these actors, just simply because it\u2019s so effective. And because now we have these tools that are essentially making it more effective.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<h3 class=\"wp-block-heading\" id=\"h-generative-ai-for-ransomware-defense\">Generative AI for ransomware defense<\/h3>\n<p>Rose said he believes generative AI can also be used to combat more sophisticated phishing campaigns.<\/p>\n<p>\u201cI think gen AI is going to help us on the defense side significantly,\u201d Rose said. \u201cWe\u2019re going to be able to see things that nobody else that no human could detect on their own, and we\u2019ll use AI to help detect and prevent those.\u201d<\/p>\n<p>Once Phobos gains access, the advisory says, the ransomware installs itself in key locations, such as the Windows Startup folder, and creates new registry keys in the operating system. It then targets local user files and network shares and monitors for new files that meet the requirements for encryption, including documents, commonly used folders and other media. The attacker then demands ransom from its victims in exchange for a decryption key.<\/p>\n<p>Since no Phobos decryptor exists other than those held by the ransomware\u2019s creators, CISA recommends securing Remote Desktop Protocol, using strong passwords and account lockout policies, using multi-factor authentication, using virtual private networks and regularly updating software \u2014 all long-established best practices in information security.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.6518375241779\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-warns-state-local-government-about-phobos-ransomware.jpg?w=640&ssl=1\" alt=\"Sophia Fox-Sowell\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Sophia Fox-Sowell<\/h4>\n<p> Sophia Fox-Sowell reports on artificial intelligence, cybersecurity and government regulation for StateScoop. She was previously a multimedia producer for CNET, where her coverage focused on private sector innovation in food production, climate change and space through podcasts and video content. She earned her bachelor\u2019s in anthropology at Wagner College and master\u2019s in media innovation from Northeastern University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Modernization<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Cybersecurity<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to StateScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/statescoop.com\/cisa-phobos-ransomware-state-local-government\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA warns state, local government about Phobos ransomware | StateScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78],"tags":[86],"class_list":["post-2644","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a>","tag_info":"Cybersecurity","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2644","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2644"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2644\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2644"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2644"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2644"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2644,"date":"2024-03-01T21:57:35","date_gmt":"2024-03-01T21:57:35","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=79607"},"modified":"2024-03-01T21:57:35","modified_gmt":"2024-03-01T21:57:35","slug":"cisa-warns-state-local-government-about-phobos-ransomware","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/03\/01\/cisa-warns-state-local-government-about-phobos-ransomware\/","title":{"rendered":"CISA warns state, local government about Phobos ransomware"},"content":{"rendered":"