Phobos

Malware updated 22 days ago (2024-10-01T19:01:20.146Z)
Download STIX
Preview STIX
Phobos is a type of malware, specifically ransomware, that has been causing significant cybersecurity concerns. Ransomware is a malicious software that infects systems, often without the user's knowledge, via suspicious downloads, emails, or websites. Once inside, it can disrupt operations and hold data hostage for ransom. Phobos ransomware has been on the radar of US cyber and law enforcement agencies, who have issued multiple warnings regarding its attacks. The landscape of threat actors using Phobos has evolved over time. Many affiliates of LockBit, another ransomware group, have either begun to operate solo using freely available ransomware source code such as Phobos or have aligned with other groups like Akira, BlackSuit, RansomHub, and Medusa. These changes in alliances bring along their unique playbooks and toolkits, adding complexity to the cybersecurity landscape. In addition, 8Base, a known ransomware operator, has been identified using a new variant of the Phobos ransomware. In March 2024, US government agencies warned of several ransomware attacks connected to Phobos, including Backmydata, Devos, Eight, Elking, and Faust. An analysis of code changes in Phobos binaries over time revealed that the 8Base group, known for its similar operating characteristics to previous Phobos campaigns, was using a Phobos variant. The comparison of an 8Base sample with previous Phobos variants showed no differences at the binary level, suggesting that the group is leveraging the existing Phobos code for its operations.
Description last updated: 2024-10-01T18:15:57.336Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Faust is a possible alias for Phobos. Faust is a newly discovered variant of the Phobos ransomware, an evolution of the Dharma/Crysis ransomware. It shares similar Tactics, Techniques, and Procedures (TTPs) with other variants such as Elking, Eight, Devos, and Backmydata, indicating a likely connection between them. Researchers from For
6
Backmydata is a possible alias for Phobos. Backmydata is a variant of the Phobos ransomware family, a malicious software (malware) designed to exploit and damage computer systems. It has been used in sophisticated cyber-attacks on healthcare entities, notably hospitals. The landscape of such attacks is evolving, with groups like RansomHouse,
5
Devos is a possible alias for Phobos. Devos is a variant of Phobos ransomware, a type of malware that infects systems and holds data hostage for ransom. It is closely linked to other variants such as Elking, Eight, Backmydata, and Faust ransomware due to similar Tactics, Techniques, and Procedures (TTPs) observed in their intrusions. Op
4
Elking is a possible alias for Phobos. Elking is a type of malware, specifically a variant of the Phobos ransomware. Malware is a harmful program designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operatio
3
8base is a possible alias for Phobos. 8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base o
3
Eking is a possible alias for Phobos. Eking is a malware, specifically a variant of the Phobos ransomware family. Malware, or malicious software, is designed to infiltrate and damage computers without the users' consent. Eking can infect systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once insid
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
RaaS
Payload
Windows
Ransom
Encryption
Phishing
Encrypt
Fortiguard
Dropper
Source
Github
Cybercrime
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Smokeloader Malware is associated with Phobos. SmokeLoader is a malicious software (malware) used by threat actors to infect systems and exfiltrate data. It operates in conjunction with other open-source tools like Cobalt Strike and Bloodhound, but most notably with Phobos ransomware. Threat actors often use SmokeLoader as a hidden payload in spUnspecified
5
The Lockbit Malware is associated with Phobos. LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It typically enters through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage forUnspecified
3
The WannaCry Malware is associated with Phobos. WannaCry is a type of malware, specifically ransomware, that had one of the most significant impacts in recent cyber history. It first appeared in May 2017 and was known as the largest ransomware attack at the time. The malicious software exploited vulnerabilities in Windows systems (CVE-2017-0144, Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Phobos. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its laUnspecified
2
Source Document References
Information about the Phobos Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
22 days ago
Securityaffairs
2 months ago
Securityaffairs
3 months ago
CERT-EU
8 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
InfoSecurity-magazine
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securelist
5 months ago
Securelist
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
BankInfoSecurity
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago