Background
Phobos is a ransomware family that has operated continuously since late 2018, primarily targeting small and medium-sized businesses (SMBs), municipal governments, and organizations with limited cybersecurity budgets. Unlike high-profile operations like LockBit or BlackCat that target large enterprises, Phobos occupies a lower-profile niche, focusing on smaller organizations where the cost of paying a ransom (typically $1,000 to $50,000) is often less than the cost of recovery.
Phobos is closely derived from the Crysis/Dharma ransomware family, sharing significant code overlap. The operation is structured as a relatively loose affiliate model, with multiple variants (Eking, Eight, Elbie, Devos, Faust, Backmydata) operated by different affiliate groups. The 8Base ransomware operation, which gained prominence in 2023, has been linked to Phobos through code analysis. In November 2024, Russian national Evgenii Ptitsyn was extradited to the U.S. and charged with administering the Phobos operation.
Despite its lower profile compared to headline-grabbing groups, Phobos has been remarkably persistent and damaging in aggregate. CISA noted that as of February 2024, Phobos had been deployed against a wide range of organizations including municipal and county governments, emergency services, education systems, public healthcare facilities, and critical infrastructure. Its focus on poorly defended targets makes it a significant threat to organizations with limited security resources.
Notable Campaigns
U.S. Municipal Government Attacks (2019-2024): Phobos operators have consistently targeted city and county government systems across the United States. These attacks typically exploit exposed RDP services and result in encryption of critical government systems including law enforcement databases, court management systems, and public service platforms. Ransom demands against municipalities typically range from $10,000 to $100,000.
Healthcare Sector Targeting (2020-2024): Multiple Phobos variants have been deployed against small healthcare providers, clinics, and hospital systems. The Romanian hospital attacks in early 2024 were linked to Phobos affiliates and affected over 20 hospitals across the country, forcing staff to revert to paper-based records. These attacks highlight the danger Phobos poses to organizations that cannot afford sophisticated cybersecurity defenses.
8Base Campaign (2023-2024): The 8Base ransomware group, which uses a customized version of Phobos ransomware, conducted an aggressive campaign in 2023, rapidly climbing to become one of the most active ransomware groups globally. 8Base primarily targeted SMBs across multiple sectors and employed a sophisticated double extortion model with a professional-looking leak site.
Emergency Services Disruption (2021-2023): Phobos affiliates attacked multiple emergency service providers and 911 dispatch centers, disrupting critical public safety communications. These attacks against emergency services demonstrate the real-world impact that even "lower-tier" ransomware operations can have on public safety.
Legal and Accounting Firm Targeting (2020-2024): Phobos has been particularly prevalent among small legal practices and accounting firms, likely due to these organizations' valuable data combined with typically limited IT security. The sensitivity of client data in legal and financial contexts often incentivizes ransom payment.
Tactics, Techniques & Procedures
Phobos affiliates rely heavily on exposed Remote Desktop Protocol (RDP) services as their primary initial access vector. They use brute-force attacks against RDP endpoints, often leveraging purchased credential lists from dark web marketplaces. The reliance on RDP exploitation directly correlates with Phobos's targeting of SMBs, which frequently have poorly configured or internet-exposed RDP services without multi-factor authentication.
The SmokeLoader malware is commonly used as an initial access and delivery mechanism for Phobos. Once inside a network, affiliates typically escalate privileges, disable antivirus software and Windows Firewall using command-line tools, and delete Volume Shadow Copies to prevent recovery. Phobos modifies Windows registry keys and adds itself to startup folders for persistence. The group uses open-source and legitimate tools rather than sophisticated custom malware, keeping operational costs low.
Phobos ransomware executes a defined kill chain: it enumerates and terminates
processes that could lock files (database services, email servers, backup
software), deletes shadow copies using both vssadmin and WMIC commands,
modifies boot configuration to disable recovery mode, and then encrypts files
using AES-256 with an RSA-1024 wrapped key. The ransomware avoids encrypting
critical system files to keep the system bootable for ransom note display.
Tools & Malware
- Phobos Ransomware: The core payload derived from Crysis/Dharma. Uses
AES-256 encryption with RSA-1024 key wrapping. Encrypted files follow the
pattern
filename.id[victim-id].[email].[extension]where the extension varies by variant (e.g., .phobos, .eking, .eight, .elbie, .devos, .faust). - SmokeLoader: A modular malware loader frequently used to deliver Phobos to victim systems. Provides download-and-execute capabilities with anti-analysis features.
- Cobalt Strike: Used by more sophisticated Phobos affiliates for post-exploitation command and control.
- Mimikatz: Credential harvesting from Windows memory for privilege escalation and lateral movement.
- NirSoft Utilities: Legitimate password recovery tools (WebBrowserPassView, Mail PassView, Network Password Recovery) repurposed for credential theft.
- Process Hacker: Open-source system monitoring tool used to identify and kill security processes.
- Bloodhound: Active Directory enumeration and attack path mapping tool used by more advanced affiliates.
- 1753 RDPWRAP: An open-source tool used to enable concurrent RDP sessions on Windows systems.
Indicators & Detection
Phobos-encrypted files follow a distinctive naming pattern:
original_filename.id[victim-ID].[contact-email].[variant-extension].
Common variant extensions include .phobos, .eking, .eight, .elbie,
.devos, .faust, and .backmydata. Ransom notes are typically named
info.txt (brief text note) and info.hta (HTML application with detailed
instructions). Both files are dropped in every encrypted directory.
The most critical preventive measure is securing RDP access. Disable direct internet-facing RDP, implement VPN-only access with multi-factor authentication, enforce account lockout policies, and monitor for brute-force login attempts. Many Phobos attacks could be prevented entirely by eliminating exposed RDP endpoints.
Monitor for the following behavioral indicators: execution of volume shadow copy deletion commands and wmic shadowcopy delete; use of bcdedit commands to disable Windows recovery options; modification of Windows Firewall rules via netsh; attempts
to terminate security software processes; and creation of startup registry
entries. Network monitoring should watch for SmokeLoader C2 traffic patterns and
unusual outbound connections from systems that typically only perform inbound
services. Given Phobos's SMB focus, even basic security controls like network
segmentation, MFA, and regular offline backups dramatically reduce risk.