Phobos

Malware updated 25 days ago (2024-08-14T09:32:41.923Z)

Download STIX

Preview STIX

Phobos is a type of malware, specifically ransomware, that infiltrates computer systems with the intent to disrupt operations, steal personal information, or hold data hostage for ransom. The malicious software can infect devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside the system, it can cause significant damage and disruption. In recent years, multiple warnings about Phobos ransomware attacks have been issued by US cyber and law enforcement agencies. These alerts, along with reports from various security resources, have highlighted the persistent threat posed by this malware. A notable development occurred when 8Base ransomware operators began using a new variant of Phobos ransomware, further increasing the risk and potential impact of these attacks. The situation escalated in March 2024 when US government agencies warned of ransomware attacks connected to Phobos, including Backmydata, Devos, Eight, Elking, and Faust. This was followed by an analysis of Phobos binaries over time, which revealed that despite the involvement of the 8Base group - known to operate with characteristics similar to previous Phobos campaigns - there were no discernible differences at the binary code level between the old and new variants. This finding underscores the ongoing threat posed by Phobos and the need for continued vigilance and robust cybersecurity measures.

Description last updated: 2024-08-14T08:48:49.251Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Faust	6	Faust is a newly discovered variant of the Phobos ransomware, an evolution of the Dharma/Crysis ransomware. It shares similar Tactics, Techniques, and Procedures (TTPs) with other variants such as Elking, Eight, Devos, and Backmydata, indicating a likely connection between them. Researchers from For
Backmydata	5	Backmydata is a variant of the Phobos ransomware family, a malicious software (malware) designed to exploit and damage computer systems. It has been used in sophisticated cyber-attacks on healthcare entities, notably hospitals. The landscape of such attacks is evolving, with groups like RansomHouse,
Devos	4	Devos is a variant of Phobos ransomware, a type of malware that infects systems and holds data hostage for ransom. It is closely linked to other variants such as Elking, Eight, Backmydata, and Faust ransomware due to similar Tactics, Techniques, and Procedures (TTPs) observed in their intrusions. Op
Elking	3	Elking is a type of malware, specifically a variant of the Phobos ransomware. Malware is a harmful program designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operatio
8base	3	8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base o
Eking	2	Eking is a malware, specifically a variant of the Phobos ransomware family. Malware, or malicious software, is designed to infiltrate and damage computers without the users' consent. Eking can infect systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once insid

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Windows

Payload

RaaS

Ransom

Encryption

Phishing

Encrypt

Fortiguard

Dropper

Github

Cybercrime

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Smokeloader	Unspecified	5	Smokeloader is a malicious software (malware) that has been utilized by threat actors, specifically Phobos actors, to embed ransomware as a hidden payload. This malware, acting as a loader for other malware, infects systems through suspicious downloads, emails, or websites, often without the victim'
WannaCry	Unspecified	2	WannaCry is a type of malware, specifically ransomware, that gained notoriety in 2017 as one of the largest and most damaging cyber-attacks to date. The malicious software exploits vulnerabilities in computer systems to encrypt data, effectively holding it hostage until a ransom is paid. It primaril
Lockbit	Unspecified	2	LockBit is a malicious software, or malware, that has been notably active and damaging in the cyber world. Known for its ability to infiltrate systems often without detection, it can steal personal information, disrupt operations, and even hold data hostage for ransom. In the first half of 2024, Loc

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Alphv	Unspecified	2	Alphv is a threat actor group known for its malicious activities in the cyber world. They have been particularly active in deploying ransomware attacks, with one of their most significant actions being the theft of 5TB of data from Morrison Community Hospital. This act not only disrupted hospital op

Source Document References

Information about the Phobos Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	a month ago	security-affairs-malware-newsletter-round-5
CERT-EU	6 months ago	Critical Infrastructure Organizations Warned of Phobos Ransomware Attacks
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 2
InfoSecurity-magazine	2 months ago	Ransomware Surges Annually Despite Law Enforcement Takedowns
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	2 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securelist	4 months ago	2023 Kaspersky Incident Response report
Securelist	4 months ago	Kaspersky Anti-Ransomware Day report 2024
Securityaffairs	4 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity	5 months ago	Ransomware Victims Who Pay a Ransom Drops to Record Low
Securityaffairs	5 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs	5 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini