Phobos

Malware updated 15 days ago (2024-11-29T14:30:00.873Z)
Download STIX
Preview STIX
Phobos is a form of malware, specifically ransomware, that has been active since May 2019. The operation utilizes a ransomware-as-a-service (RaaS) model and is responsible for numerous cyber attacks worldwide. Threat actors behind Phobos gained initial access to vulnerable networks through phishing campaigns and used various open-source tools such as Smokeloader, Cobalt Strike, and Bloodhound. Government experts have linked multiple Phobos ransomware variants to the intrusions due to observed similarities in Tactics, Techniques, and Procedures (TTPs). These variants include Backmydata, Devos, Eight, Elking, and Faust. In March 2024, US CISA, the FBI, and MS-ISAC issued a joint cybersecurity advisory warning about the ongoing attacks involving Phobos ransomware. According to the Department of Justice (DoJ), the Phobos ransomware operation targeted over 1,000 public and private entities globally, extorting more than $16 million in ransom payments. The scheme had been running since November 2020, with the ransomware being deployed to extort victims. Evgenii Ptitsyn, a Russian national, was identified as a key player in the Phobos ransomware operations. He allegedly administered the sale, distribution, and operation of the Phobos ransomware. The Justice Department unsealed criminal charges against Ptitsyn, who made his initial appearance in the U.S. District Court for the District of Maryland on November 4th, after being extradited from South Korea. Ptitsyn is now facing cybercrime charges in the US for his alleged role in the international hacking scheme.
Description last updated: 2024-11-21T10:25:06.996Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Faust is a possible alias for Phobos. Faust is a variant of the Phobos ransomware family, which has been linked to several other variants such as Elking, Eight, Devos, and Backmydata due to similarities in their tactics, techniques, and procedures (TTPs). The malware, Faust, represents a malicious software designed to exploit and damage
6
Backmydata is a possible alias for Phobos. Backmydata is a variant of the Phobos ransomware family, a type of malware that has been used in sophisticated cyber attacks on healthcare systems. The landscape of these attacks is rapidly evolving with groups like RansomHouse, Rhysida, and Backmydata employing increasingly advanced tactics. In one
5
Devos is a possible alias for Phobos. Devos is a variant of the Phobos ransomware, a type of malicious software designed to exploit and damage computer systems. According to open-source reports, Devos is likely connected to numerous other variants such as Elking, Eight, Backmydata, and Faust due to similar Tactics, Techniques, and Proce
4
Elking is a possible alias for Phobos. Elking is a type of malware, specifically a variant of the Phobos ransomware. Phobos itself is an evolution of the Dharma/Crysis ransomware and is connected to several other variants, including Elking, Eight, Devos, Backmydata, and Faust ransomware. This connection is established based on the simila
3
8base is a possible alias for Phobos. 8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base o
3
Eking is a possible alias for Phobos. Eking is a malware, specifically a variant of the Phobos ransomware family. Malware, or malicious software, is designed to infiltrate and damage computers without the users' consent. Eking can infect systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once insid
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
Malware
Encrypt
RaaS
Cybercrime
Payload
Windows
Source
Encryption
Phishing
Credentials
Github
Fortiguard
Dropper
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Smokeloader Malware is associated with Phobos. SmokeLoader is a malicious software (malware) that acts as a loader for other malware, injecting malicious code into the currently running explorer process and downloading additional payloads to the system. It has been used in conjunction with Phobos ransomware by threat actors who exploit its functUnspecified
5
The Lockbit Malware is associated with Phobos. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
3
The WannaCry Malware is associated with Phobos. WannaCry is a notorious malware that gained global attention in 2017 when it was responsible for the biggest ransomware attack to date. The malware, designed to exploit and damage computer systems, infects systems through suspicious downloads, emails, or websites. Once inside a system, WannaCry can Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Phobos. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient pUnspecified
2
Source Document References
Information about the Phobos Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Malwarebytes
12 days ago
DARKReading
23 days ago
Flashpoint
23 days ago
Securityaffairs
23 days ago
BankInfoSecurity
2 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
CERT-EU
9 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
InfoSecurity-magazine
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
Securelist
7 months ago
Securelist
7 months ago
Securityaffairs
7 months ago