FG alerts citizens, businesses to spike in ransomware attacks nationwide

Nigerians and businesses operating in the country have been alerted to the escalation of ransomware attacks in the country.

This was issued by the Nigeria Computer and Emergency Response Team (ngCERT) in a circular on its X handle on Wednesday. ngCERT, which declared the situation high and damage as critical, is the country’s Internet police unit under the office of the National Security Adviser (NSA).

It disclosed that it detected an increase in ransomware attacks by the Phobos ransomware group, specifically targeting critical cloud service providers within the country’s cyberspace.
The body said it is actively collaborating with vulnerable and affected organizations to swiftly resolve these incidents and prevent further escalation.

According to the body, the most at-risk entities include providers of information technology and telecommunications services, such as managed cloud services, whose clients include government agencies, financial institutions, telecommunications, education, healthcare, service providers and NGOs in Nigeria.

Consequences of these attacks, according to the directory, include system compromise, ransom payment, data encryption for system lockout, data loss and exfiltration, financial losses, Denial of Service (DDoS) and fraudulent activity using compromised systems.

ngCERT said it is essential for organisations to proactively implement mitigation strategies to help prevent the spread of malware.

These strategies include that organizations would need to secure Remote Desktop Protocol (RDP) ports to prevent threat actors from abusing and leveraging RDP tools; prioritises remediating known exploited vulnerabilities; implement EDR solutions to disrupt threat actors’ memory allocation techniques; disable command-line and scripting activities and permissions and segment networks to prevent the spread of ransomware.

Further, ngCERT said Phobos attackers commonly gain entry into vulnerable networks through phishing campaigns to deliver hidden payloads or by employing IP scanning tools like Angry IP scanners to identify susceptible RDP ports.
The body said attackers also leveraged RDP in Microsoft Windows environments, stressing that upon discovering an exposed RDP service, they deploy spoofed email attachments containing hidden payloads like Smokeloader to initiate infection.

“To execute and escalate privileges, Phobos actors execute commands such as Isaas.exe or cmd.exe to install additional Phobos payloads with elevated privileges. They leverage Windows command shell capabilities for system control and utilize Smokeloader in a three-phase process for payload decryption and deployment, ensuring evasive actions against defenses,” ngCERT stated.

It further explained that to evade detection, Phobos ransomware modifies firewall configurations, utilizes evasion tools lile Universal Virus Sniffer and Process Hacker and employs techniques such as token theft and privileges escalation through Windows API functions.