Phobos

Phobos is a ransomware family and ransomware-as-a-service (RaaS) operation active since at least 2018. The content describes it as a dispersed affiliate ecosystem with multiple variants, including Eking, Eight, Elbie, Devos, and Faust, and notes additional related branding or family members such as BackMyData and 8Base. Phobos affiliates have victimized more than 1,000 public and private entities worldwide and extorted more than $39 million; a separate DOJ reference attributes at least $16 million to a four-year campaign tied to operation and distribution of the malware. Reported targets include county governments, emergency services, education, public healthcare, and other critical infrastructure, with observed activity also affecting hospitals in Romania via the BackMyData variant.

The malware is associated with numerous affiliates and clusters rather than a single actor. The content links Makop’s early operations to a Phobos variant, states that 8Base uses customized Phobos payloads, and notes that Space Bears activity has been linked by several teams to the Phobos RaaS program. Law-enforcement reporting also ties some First VPN users and investigations to Phobos cases. The ecosystem has been active on cybercrime forums, including listings for cracked PHOBOS builders and leaked/cracked ransomware tooling, which lowers the barrier to entry for affiliates.

Operationally, Phobos incidents are described as human-operated intrusions that can involve extensive pre-encryption activity; Huntress observed Phobos actors averaging more than 30 actions before ransomware deployment and longer time-to-ransom than faster families such as Play or Akira. Seqrite reports Phobos operators commonly abuse legitimate administrative tools, especially Process Hacker, as part of defense evasion and antivirus/EDR neutralization. Related reporting also links HRSword to a Phobos incident and highlights broader use of low-level tools such as YDArk, PowerRun, Mimikatz, and other signed or legitimate utilities across ransomware campaigns that include Phobos.

A detailed technical description is provided for BackMyData, explicitly identified as a Phobos-family variant. BackMyData stores encrypted configuration protected by a hard-coded AES key, contains an RSA public key to wrap per-file AES-256 keys, avoids systems with Cyrillic locale indicators, impersonates explorer.exe to duplicate a token and respawn in that security context, deletes Volume Shadow Copies, disables automatic repair and the Windows firewall, and establishes persistence via Run registry keys and the Startup folder. It enumerates logical drives and network resources, probes port 445 to reach shares, enables SeDebugPrivilege, kills processes such as sqlservr.exe, oracle.exe, mysqld.exe, outlook.exe, winword.exe, excel.exe, thunderbird.exe, and steam.exe, and uses worker threads for traversal and encryption. It partially encrypts files larger than 1.5 MB, fully encrypts smaller files, appends the .backmydata extension plus victim-specific data, and drops ransom notes named info.txt and info.hta. The analyzed BackMyData sample SHA-256 is 396a2f2dd09c936e93d250e8467ac7a9c0a923ea7f9a395e63c375b877a399a6, and encrypted files contain a 6-byte marker DD F9 CC F5 B3 44.

Observed indicators and traits tied to the broader Phobos ecosystem in the content include use of the .8base extension by 8Base-customized Phobos samples, the .backmydata extension by BackMyData, ransom notes info.txt and info.hta for BackMyData, and infrastructure overlap reported around 8Base with SmokeLoader and SystemBC, including the domain admlogs25[.]xyz. The content also notes that Japanese authorities released free decryptors for Phobos and 8Base. Overall, the provided material characterizes Phobos as a long-running, affiliate-driven ransomware ecosystem targeting a wide range of sectors, especially critical infrastructure and mid-market to larger enterprises, with variants and affiliates that share similar TTPs and frequently rely on legitimate administrative tooling for intrusion support and defense evasion.