Phobos

Phobos is an organized cybercrime ransomware operation that uses a ransomware-as-a-service (RaaS) model, providing ransomware to affiliates who conduct attacks and share profits. The reporting describes Phobos as derived from the Crysis ransomware family. Phobos has been linked to more than 1,000 victims worldwide, including public and private entities, with victims including schools, hospitals, healthcare providers, educational institutions, government bodies, nonprofit organizations, providers of essential services, private firms, and at least one contractor linked to the U.S. Department of Defense. Reported ransom totals vary across sources in the content, with figures of more than $16 million and more than $39 million both cited. Phobos is also described as known for relatively small ransom demands and average payments clustering below roughly $500 to $1,000 in one report, with another report citing an average ransom demand around $54,000. The operation has been active since at least 2019 or 2020 in the cited reporting and has been administered through affiliates. U.S. authorities stated that Russian national Evgenii Ptitsyn administered the sale, distribution, and operation of Phobos ransomware, and other reporting says he was involved in its development, sale, distribution, and operations. Ptitsyn has been associated with the aliases "derxan" and "zimmermanx." The content also references charges against Roman Berezhnoy and Egor Glebov, and repeated law-enforcement actions against affiliates and infrastructure, including Europol-coordinated Operation Aether and arrests in Poland and Thailand. Multiple reports state that Phobos activity significantly declined after Ptitsyn’s extradition. Tradecraft and ecosystem details directly mentioned in the content include use of affiliates, encrypted messaging for operator communications, and use of legitimate dual-use tools during intrusions. Seqrite reported that Process Hacker is commonly used by Phobos operators. The content also notes that Space Bears is associated with the Phobos RaaS operation and linked to the Faust operator within the Phobos ecosystem, and that some 8Base operators are former affiliates of Dharma and/or Phobos. One report states that 8Base used a Phobos variant. The content further notes that a cracked Phobos builder was advertised on the RAMP cybercrime forum in December 2023, and that RAMP hosted PHOBOS among advertised RaaS programs and cracked criminal tooling. A separate report observed that the LockBit run key XO1XADpO01 and ransom note filename Restore-My-Files.txt were also seen being used by Phobos and by a Phobos imposter ransomware.