Phobos

Phobos is a ransomware-as-a-service (RaaS) operation and ransomware brand active since at least 2019/2020. It is described as derived from the Crysis ransomware family and has been linked to more than 1,000 victims worldwide, including public and private entities such as hospitals, schools, government agencies, healthcare providers, nonprofits, and other critical infrastructure organizations. Reported extortion totals in the provided content vary, with sources citing more than $16 million and more than $39 million in ransom payments. Phobos operated through affiliates. U.S. authorities stated that administrator Evgenii Ptitsyn administered the sale, distribution, and operation of Phobos, and that affiliates paid fees for unique decryption keys after attacks. The content also states Ptitsyn and conspirators used a RaaS model, controlled cryptocurrency wallets receiving affiliate fees and sometimes ransom proceeds, and allegedly sold Phobos on darknet forums under the aliases "derxan" and "zimmermanx." Law-enforcement actions referenced in the content include Ptitsyn’s arrest in South Korea and guilty plea in the United States, arrests of other alleged operators including Roman Berezhnoy and Egor Glebov, and Europol-coordinated Operation Aether targeting Phobos operators, affiliates, and infrastructure worldwide, including a Polish arrest of a 47-year-old suspect. Operationally, Phobos is noted as a persistent ransomware brand from 2020 through 2025. Huntress reported that Phobos actors carried out more than 30 actions on average before deploying ransomware and had longer time-to-ransom than faster-moving groups such as Play and Akira. The content also states that most ransomware actors in that dataset exfiltrated data before encryption, consistent with double-extortion behavior. Seqrite reported that Process Hacker is commonly used by Phobos operators. Another report noted overlap where the LockBit run key "XO1XADpO01" and ransom note filename "Restore-My-Files.txt" were also seen in Phobos and a Phobos imposter ransomware. The content also links Phobos to related or associated activity. 8Base is described as linked to Phobos, with some reporting stating 8Base operators are former affiliates of Dharma and/or Phobos, and other reporting describing Operation Aether as targeting the 8Base group believed to be linked to Phobos. Space Bears is described as associated with the Phobos RaaS operation and linked to the Faust operator within the Phobos ecosystem. Known related names directly mentioned in the content include Dharma/Crysis, 8Base, and Space Bears.