The Nigeria Computer Emergency Response Team (ngCERT) has issued an urgent advisory highlighting an increase in ransomware attacks targeting the nation’s critical cloud infrastructure.
The advisory warns of the high probability and severe damage potential of these attacks, particularly those orchestrated by the Phobos ransomware group.
According to ngCERT, the most at-risk entities include providers of information technology and telecommunication services. These sectors are particularly vulnerable as they often manage cloud services for critical government agencies, financial institutions, telecommunications, education, healthcare services, and NGOs in Nigeria.
“ngCERT has detected an increase in ransomware attacks by the Phobos ransomware group, specifically targeting critical cloud service providers within our national cyberspace. We are actively collaborating with vulnerable and affected organisations to swiftly resolve these incidents and prevent further escalation.
“The most at-risk entities include providers of information technology and telecommunication services, such as managed cloud services, whose clients include critical government agencies, financial institutions, telecommunications, education, healthcare, service providers, and NGOs in Nigeria.”
The advisory emphasises the need for these organisations to proactively implement mitigation strategies to prevent the spread of malware.
Recent intelligence has revealed a surge in ransomware activities aimed at cloud service providers key to Nigeria’s cyberspace. The Phobos group has been particularly aggressive, targeting entities that include government agencies, financial institutions, healthcare services, and NGOs.
These attackers exploit vulnerabilities in these systems to gain unauthorised access, encrypt data, and demand ransoms.
Phobos ransomware operatives typically infiltrate networks using phishing campaigns and IP scanning tools to find susceptible Remote Desktop Protocol (RDP) ports. They exploit these vulnerabilities to execute hidden payloads and gain control over systems.
Upon accessing an exposed RDP service, they use brute force tools to escalate privileges and deploy additional malware. Key tools in their arsenal include lsass.exe and cmd.exe for command execution and tools like Smokeloader for payload delivery.
Indicators of compromise associated with these attacks include emails from finamtox@zohomail.eu, potentially related to the Phobos ransomware group. The file format often used is filename.id[xxxxxxx-xxxx].email.xshell.
Organisations affected by Phobos ransomware may experience a range of serious consequences. These include system compromises and data breaches, ransom payments to restore access, data encryption leading to operational lockouts, financial losses, Denial of Service (DoS) attacks, and fraudulent activities using compromised systems.
ngCERT recommends several measures to combat these threats. Organisations should secure RDP ports and prioritise the remediation of known vulnerabilities. Implementing Endpoint Detection and Response (EDR) solutions to disrupt malicious activities is also important.
Again, disabling unnecessary command-line and scripting activities can prevent unauthorised access. Segmenting networks to prevent the spread of ransomware and regularly updating and enabling real-time antivirus detection are also advised.
Conducting audits of user accounts and administrative privileges helps maintain a secure environment. Maintaining multiple, secure backups of vital data and disabling hyperlinks in received emails to prevent phishing attacks are essential preventive measures.
Organisations are urged to adopt these mitigation strategies to protect their systems from the escalating ransomware threat. Regular updates, vigilant monitoring, and robust security protocols are essential to safeguard against these sophisticated cyber-attacks.
Comments 1