The Nigerian Computer Emergency Response Team (ngCERT) has revealed that there is a significant increase in ransomware attacks by the Phobos ransomware group, targeting critical cloud service providers within Nigeria’s national cyberspace.
According to ngCERT, the attacks primarily will affect providers of information technology and telecommunication services, including managed cloud services.
The ngCERT said it is actively working with vulnerable and affected organizations to resolve incidents and prevent further escalation.
The report read in part; “We are actively collaborating with vulnerable and affected organizations to swiftly resolve these incidents and prevent further escalation.
“The most at-risk entities include providers of information technology and telecommunication services, such as managed cloud services, whose clients include critical government agencies, financial institutions, telecommunications, education, healthcare, service providers, and NGOs in Nigeria. It is essential for organizations to proactively implement the mitigation strategies outlined in this document to help prevent the spread of the malware.”
How the attackers operate
Phobos attackers usually break into networks in two main ways:
- Phishing Emails: These are fake emails that deceive victims into opening attachments or links that could be harmful. This gives the attackers access to the network.
- RDP Exploitation: They search for weaknesses in the Remote Desktop Protocol (RDP) functionality. If they find an unsecured RDP, they use tools to guess the password and break in.
Once inside, they:
- Install more harmful software to control the system further.
- Use special programs to hide their activities so they aren’t detected.
- Steal important information like passwords and network details.
- Use other programs to send the stolen information out of the network.
Signs that your system has been attacked
- Email: The attackers use the email address finamtox@zohomail.eu.
- Ransomware Group: The attacks are linked to a group called the Phobos Ransomware Group.
- File Extension: Files that have been encrypted by the ransomware will have the extension .xshell added to them.
- File Format: If the format of the renamed files follows this pattern filename.id[xxxxxx-xxxx].email.xshell, it’s an indication of compromise.
Consequences of a successful attack
- Attackers are gaining control over your systems.
- You could be forced to pay a ransom to regain access to your data.
- Important files and systems could be encrypted or locked, making them inaccessible.
- Sensitive information could be stolen and lost.
- The attack can cause significant financial damage due to downtime, ransom payments, and recovery costs.
- Your services could be disrupted, making them unavailable to users.
- Attackers might use compromised systems for illegal activities.
Steps organizations can take to protect themselves
ngCERT urges organizations to implement the following measures to prevent the spread of ransomware and protect critical infrastructures.
- Secure RDP ports to prevent abuse.
- Prioritize fixing known exploited vulnerabilities.
- Introduce Endpoint Detection and Response (EDR) solutions.
- Disable unnecessary command-line and scripting activities.
- Segment networks to control traffic and restrict lateral movement.
- Review domain controllers and workstations for new or unrecognized accounts.
- Audit administrative user accounts and enforce the principle of least privilege.
- Implement time-based access for high-level accounts.
- Maintain multiple, physically separate backups of sensitive data.
- Regularly update and enable real-time antivirus detection.
- Disable unused ports and protocols.
- Add email banners for external emails and disable hyperlinks in emails.
- Ensure backup data is encrypted, immutable, and comprehensive.
- Maintain offline backups and regularly test restoration processes.
What You Should Know
- Ransomware attacks were the most prevalent form of cyberattack in 2023, accounting for 70% of total hits on businesses.
- According to the Sophos Active Adversary Report, 90% of these attacks involved the abuse of remote desktop protocol (RDP).
- Compromised credentials and exploited vulnerabilities remain the top root causes of these attacks.
- Despite these threats, many organizations have yet to implement essential security measures like multi-factor authentication.
- The report emphasizes the need for robust endpoint protection and careful management of remote services to mitigate risks.
