Phobos
Phobos is a ransomware family and ransomware-as-a-service (RaaS) operation active since at least 2018. The content describes it as a long-running, widely observed ransomware strain that has targeted more than 1,000 public and private entities worldwide and extorted more than $39 million in ransom payments. Reporting in the content characterizes Phobos as commonly used in lower-tier or spray-and-pray campaigns and notes that it typically targets smaller organizations, though it has also been associated with attacks affecting healthcare and other essential services.
Phobos is linked in the content to multiple affiliates and related variants. BackMyData is explicitly identified as a variant of the Phobos family and was used in the February 2024 ransomware attack on Romania’s Hipocrate Information System, which disrupted 100 hospitals; Romanian authorities stated there was no evidence of data theft at the time of reporting. The content also states that 8Base has been reported as a variant of Phobos v2.9.1, and that the Space Bears leak site is believed to function as a shared publishing point for activity related to Phobos-linked infrastructure.
Operationally, Phobos is described as a RaaS ecosystem in which administrators sold, operated, and distributed the ransomware to affiliates. Court reporting in the content states that affiliates paid for unique decryption keys after attacks, and that administrator Evgenii Ptitsyn controlled cryptocurrency wallets receiving a portion of affiliate fees and sometimes ransom proceeds. The U.S. Department of Justice charged and later reported a guilty plea from Ptitsyn for administering the sale, distribution, and operation of Phobos during a multi-year campaign.
Tradecraft associated with Phobos operators in the content includes abuse of legitimate administrative tools. Seqrite specifically notes that Process Hacker is a favorite/common tool among Phobos operators and places Phobos among ransomware families that increasingly use trusted, digitally signed utilities to disable antivirus and endpoint protections before encryption.
The content also notes ecosystem and law-enforcement developments around Phobos: cracked builders and leaked source code/builders for PHOBOS were observed on the RAMP cybercrime forum, lowering barriers to entry; some First VPN accounts were linked to Phobos ransomware investigations; and Japanese authorities released free decryptors for Phobos and 8Base. Financial reporting in the content states that Phobos ransom payments tend to cluster at the low end, averaging below roughly $500 to $1,000 in one cited analysis.
High-confidence indicators and related artifacts directly mentioned in the content are primarily tied to Phobos-family variants rather than generic Phobos samples. For BackMyData, these include ransom notes named info.txt and info.hta, persistence via Run registry keys and the Startup folder, deletion of Volume Shadow Copies, firewall disabling, network-share enumeration, partial encryption of large files, and the .backmydata extension. The analyzed BackMyData sample SHA-256 was 396a2f2dd09c936e93d250e8467ac7a9c0a923ea7f9a395e63c375b877a399a6.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
They can also manifest in even more extreme behavior where RaaS affiliates switch to older “fully owned” ransomware payloads like Phobos...
Several research teams link the group to the Phobos ransomware as a service program (RaaS), and the Space Bears leak site is believed to function as a shared publishing point for activity related to that infrastructure.
Polish authorities arrested a 47-year-old man suspected of involvement in cybercrime and linked him to the Phobos ransomware operation... Phobos is an organized cybercrime group operating a ransomware-as-a-service (RaaS) model, providing its malware to affiliates who carry out attacks and share the profits.
Polish officials arrested a 47-year-old man accused of participating in ransomware attacks as an affiliate for the Phobos ransomware group...
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique"...charged with producing, obtaining and sharing computer programs used to illegally obtain information stored on IT systems."
Initial Access
2 techniques“If Phobos actors gain successful RDP authentication [T1133][T1078]…”
“Alternatively, threat actors send spoofed email attachments [T1566.001]…”
Execution
4 techniques“They use vssadmin.exe and Windows Management Instrumentation command-line utility (WMIC)… [T1047]…”
The ransomware creates a “cmd.exe” process that will execute multiple commands.
“…using built-in Windows API functions [T1106] to steal tokens… and create new processes…”
“…spoofed email attachments [T1566.001] that are embedded with hidden payloads [T1204.002] such as SmokeLoader…”
Persistence
2 techniquesPrivilege Escalation
4 techniquesThe DuplicateTokenEx API is utilized to create a new access token... The ransomware spawns itself running in the security context of the newly created token.
The DuplicateTokenEx API is utilized to create a new access token that duplicates the token mentioned above... The ransomware spawns itself running in the security context of the newly created token.
Persistence is achieved by creating an entry under the Run registry key and copying the malware to the Startup folder.
The malicious process enables the above privilege via a call to AdjustTokenPrivileges... 'SeDebugPrivilege' privilege
Stealth
7 techniques“…prepares a portable executable for deployment… [T1027.002]…”
“Embedded Payloads… Phobos actors embedded the ransomware as a hidden payload by using Smokeloader.”
The unencrypted file is overwritten with zeros and deleted afterwards.
The DuplicateTokenEx API is utilized to create a new access token... The ransomware spawns itself running in the security context of the newly created token.
The DuplicateTokenEx API is utilized to create a new access token that duplicates the token mentioned above... The ransomware spawns itself running in the security context of the newly created token.
“…Phobos ransom note is displayed… using mshta.exe [T1218.005].”
The ransomware tries to open two mutexes called “Global\\<<BID>><Volume serial number>00000001” and “Global\\<<BID>><Volume serial number>00000000”, and then creates them.
Credential Access
3 techniques“Mimikatz… to export… credentials [T1003.001]…”
“Credentials from Password Stores [T1555]…”
“They target… databases for… password management software [T1555.005].”
Discovery
5 techniquesThe malware takes a snapshot of all processes in the system... The processes are enumerated using the Process32FirstW and Process32NextW APIs.
The malware extracts the major and minor version numbers of the operating system using the GetVersion method.
The files are enumerated using the FindFirstFileW and FindNextFileW methods.
WNetOpenEnumW is used to start an enumeration of all currently connected resources... The enumeration continues by calling the WNetEnumResourceW function.
The GetLocaleInfoW function is used to obtain the default locale... The binary verifies whether the 9th bit, which represents Cyrillic alphabets, is cleared.
Lateral Movement
2 techniquesIt tries to connect to every host on the network on port 445 in order to encrypt every available network share.
It tries to connect to every host on the network on port 445 in order to encrypt every available network share.
Command and Control
1 technique“…Windows command shell… [T1059.003][T1105].”
Impact
3 techniquesThrough a variety of evolving techniques, cybercriminals break into a company’s network and then deploy ransomware to lock down every file, computer, and sensitive piece of data within reach. The files cannot be unlocked without a “decryption key,” which the cybercriminals will only offer for a price.
Any target process is stopped using the TerminateProcess method.
vssadmin delete shadows /all /quiet – delete all Volume Shadow Copies; wmic shadowcopy delete – delete all Volume Shadow Copies | bcdedit /set {default} bootstatuspolicy ignoreallfailures; bcdedit /set {default} recoveryenabled no; wbadmin delete catalog -quiet
Other
1 techniqueIOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
73 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Phobos is identified in the content as a ransomware family linked to some users of the dismantled First VPN service.
Phobos is described as a ransomware-as-a-service outfit linked to ransomware investigations uncovered through the takedown of First VPN.
A ransomware family referenced via a cracked builder offered on RAMP, lowering the barrier to launching independent ransomware attacks.
Ransomware family whose operators reportedly use Process Hacker as a dual-use utility during attacks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.