Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
81
Global rank
99 infographic chevron month
Month rank
105 infographic chevron week
Week rank
0
IOCs

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Ransomware
Type
Unknown
Origin
1 October, 2017
First seen
7 October, 2025
Last seen

How to analyze Phobos with ANY.RUN

Type
Unknown
Origin
1 October, 2017
First seen
7 October, 2025
Last seen

IOCs

IP addresses
45.138.48.20
179.43.172.241
94.232.249.179
45.9.74.14
147.78.47.224
Hashes
9be4d7cb4fbe18c8b332701f4a9b80447b3da8e940b33dae3504d36c077a9e2c
fc6865253d4c6bc89ce344a15778ad374c4bcb128fad7cd7cdcb2a3da178fb4e
bb30723b7a2365576b1b5e64245068dbdddc429a70d92e39ff7379120eabafe6
65ff823ff69cbf194fc07966a2ffbc5b3166b7f5c7b8e43c4ec994338fed8cd1
9159208a7e61698ef8b5982e6fe349ef1eb41bc13250f37a80a17dba62d6050a
26135bebc99c60d3df8c2b80c4951a12dc7f23158901437ba0387d8a89eaebbf
61c37de4578d08f21a33252ee643c7bb9f542e2a3b5aa10f031b842abfb3ae46
e443920a2306dd8b0182dedadc7c1254bd9c43e576c4876a1970886d06b1cccf
86fea265fb462bc4b52fe6899c934e3e034a021d8899112990b1f60baf6e383c
6040690d4a93599a2d6408673973ae0e13b06fc8235902de2bbe543f7a1654f6
fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638
295136aa516c380bcc28566f528e54d8ffd7ea7e3d5f9b2590221558523a6cce
58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6
3380a59f6277030af31ecab0023af30a4f63e5b4407f1aba4a262c34fce397c9
0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81
0eda9b8fc30253665fd74ad07ef646814c9d770e83f196f7df83724f818f947a
f9de0d6af30204954b78f10500990e1b9c149a1d4376b082052af542168c587e
2dcaca208625860f4eb114af4c4158368284eb99c994793d5ac66d3af654bf5f
7c82532b643fa4b8011617f6dd56434e5e925dd458bd39315f6f737d10394936
26d1c1e380e3ebf093ec1fb111b0b9f0a8499e84f7fad0c2d1a3f7be957b38b3
Domains
wlaexfpxrs.org
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 156
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 512
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 3642
comments 0

What is Phobos Ransomware?

Phobos Ransomware encrypts data until a ransom is paid. 77% of Phobos attacks are successful according to the latest research. This malicious program was recorded in the wild for the first time in October 2017.

General description of Phobos Ransomware

Phobos ransomware appeared in 2017 in Dharma, also known as the CrySIS, family. A year later Phobos developed and spread rapidly. In 2019, it accounted for 8.9% of the submitted ransomware attacks. The First-quarter of 2020 showed that the Phobos strain was noted as one of the most common ransomware with 9.70% of submissions. It constantly gets updates and new versions.

The ransomware targets organizations all over the world. Phobos compromises RDP servers that are open or have weak security. Then cyber criminals send ransom notes, where the victim is asked to contact one of the emails to get the decryption key.

Phobos attackers exactly like Dharma ones can discuss ransom amounts depending on the company. The Ransom amount can reach 20,000 USD in Bitcoin. It is lower than usual ransomware demands because Phobos chooses small companies as victims. And sometimes cybercriminals don’t give up the decryption key even after the payment.

The malicious program uses encrypt data using AES and adds extensions to infected files such as .phobos, .phoenix, .actin, .help, .mamba and others. These files can be fully or partially encrypted.

Phobos is named after the Greek god of fear, but there is nothing divine about it. Criminals buy this malware in RaaS packages, so even without deep technical knowledge, they have an opportunity to design their own strain and organize an attack on the chosen victim.

Phobos malware analysis

The ANY.RUN malware hunting service features a video that displays the complete execution process of Phobos.

phobos ransomware process graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

phobos ransom note

Figure 2: Phobos ransom note

Phobos Ransomware execution process

The execution process of the Phobos ransomware is relatively typical for this type of malware such as Troldesh. The executable file makes its way into an infected system and runs, then the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. Interestingly though, as soon as it encrypts all targeted files, Phobos pops up a ransom note on the desktop, which is the ransomware executable file itself.

Phobos Ransomware distribution

Phobos has several ways to end up on your machine:

  • phishing emails with attachments
  • poorly secured RDP ports
  • fake updates
  • exploits
  • deceptive downloads
  • web injectors
  • repacked and infected installers

These distribution methods help attackers to steal victims’ information and encrypt the data by running Trojan or other malware. And a variety of the infected files is huge: documents, PDF and text files, databases, photos and videos, archives, etc. They can be located both in internal and external folders. Phobos gets rid of files’ shadow copies and backups.

Conclusion

Phobos is not a new type of ransomware, moreover, it has some similarities to Dharma. There is no need for criminals who use Phobos to be qualified specialists. Nevertheless, this ransomware always evolves, and its attacks are effective. It has a lot of ways to get into your device to get a ransom. That is why Phobos can be a serious threat to organizations.

HAVE A LOOK AT

ACR Stealer screenshot
ACR Stealer is a modern information-stealing malware designed to harvest sensitive data from infected devices. Like other infostealers, it targets credentials, financial details, browser data, and files, enabling cybercriminals to monetize stolen information through direct fraud or underground market sales.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Rootkit screenshot
Rootkit
rootkit bootkit
A rootkit is a type of malicious software designed to provide unauthorized administrative-level access to a computer or network while concealing its presence. Rootkits are tools used by cybercriminals to hide their activities, including keyloggers, spyware, and other malware, often enabling long-term system exploitation.
Read More
Trojan screenshot
Trojan
trojan trojan horse
Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More