Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
82
Global rank
115 infographic chevron month
Month rank
107 infographic chevron week
Week rank
0
IOCs

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Ransomware
Type
Unknown
Origin
1 October, 2017
First seen
28 October, 2025
Last seen

How to analyze Phobos with ANY.RUN

Type
Unknown
Origin
1 October, 2017
First seen
28 October, 2025
Last seen

IOCs

IP addresses
45.138.48.20
179.43.172.241
94.232.249.179
45.9.74.14
147.78.47.224
Hashes
9be4d7cb4fbe18c8b332701f4a9b80447b3da8e940b33dae3504d36c077a9e2c
fc6865253d4c6bc89ce344a15778ad374c4bcb128fad7cd7cdcb2a3da178fb4e
bb30723b7a2365576b1b5e64245068dbdddc429a70d92e39ff7379120eabafe6
65ff823ff69cbf194fc07966a2ffbc5b3166b7f5c7b8e43c4ec994338fed8cd1
9159208a7e61698ef8b5982e6fe349ef1eb41bc13250f37a80a17dba62d6050a
26135bebc99c60d3df8c2b80c4951a12dc7f23158901437ba0387d8a89eaebbf
61c37de4578d08f21a33252ee643c7bb9f542e2a3b5aa10f031b842abfb3ae46
e443920a2306dd8b0182dedadc7c1254bd9c43e576c4876a1970886d06b1cccf
86fea265fb462bc4b52fe6899c934e3e034a021d8899112990b1f60baf6e383c
6040690d4a93599a2d6408673973ae0e13b06fc8235902de2bbe543f7a1654f6
fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638
295136aa516c380bcc28566f528e54d8ffd7ea7e3d5f9b2590221558523a6cce
58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6
3380a59f6277030af31ecab0023af30a4f63e5b4407f1aba4a262c34fce397c9
0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81
0eda9b8fc30253665fd74ad07ef646814c9d770e83f196f7df83724f818f947a
f9de0d6af30204954b78f10500990e1b9c149a1d4376b082052af542168c587e
2dcaca208625860f4eb114af4c4158368284eb99c994793d5ac66d3af654bf5f
7c82532b643fa4b8011617f6dd56434e5e925dd458bd39315f6f737d10394936
26d1c1e380e3ebf093ec1fb111b0b9f0a8499e84f7fad0c2d1a3f7be957b38b3
Domains
wlaexfpxrs.org
Last Seen at

Recent blog posts

post image
5 SOC Challenges and How Threat Intelligence...
watchers 247
comments 0
post image
ANY.RUN Recognized as Threat Intelligence Com...
watchers 555
comments 0
post image
ANY.RUN & ThreatQ: Boost Detection Rate,...
watchers 509
comments 0

What is Phobos Ransomware?

Phobos Ransomware encrypts data until a ransom is paid. 77% of Phobos attacks are successful according to the latest research. This malicious program was recorded in the wild for the first time in October 2017.

General description of Phobos Ransomware

Phobos ransomware appeared in 2017 in Dharma, also known as the CrySIS, family. A year later Phobos developed and spread rapidly. In 2019, it accounted for 8.9% of the submitted ransomware attacks. The First-quarter of 2020 showed that the Phobos strain was noted as one of the most common ransomware with 9.70% of submissions. It constantly gets updates and new versions.

The ransomware targets organizations all over the world. Phobos compromises RDP servers that are open or have weak security. Then cyber criminals send ransom notes, where the victim is asked to contact one of the emails to get the decryption key.

Phobos attackers exactly like Dharma ones can discuss ransom amounts depending on the company. The Ransom amount can reach 20,000 USD in Bitcoin. It is lower than usual ransomware demands because Phobos chooses small companies as victims. And sometimes cybercriminals don’t give up the decryption key even after the payment.

The malicious program uses encrypt data using AES and adds extensions to infected files such as .phobos, .phoenix, .actin, .help, .mamba and others. These files can be fully or partially encrypted.

Phobos is named after the Greek god of fear, but there is nothing divine about it. Criminals buy this malware in RaaS packages, so even without deep technical knowledge, they have an opportunity to design their own strain and organize an attack on the chosen victim.

Phobos malware analysis

The ANY.RUN malware hunting service features a video that displays the complete execution process of Phobos.

phobos ransomware process graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

phobos ransom note

Figure 2: Phobos ransom note

Phobos Ransomware execution process

The execution process of the Phobos ransomware is relatively typical for this type of malware such as Troldesh. The executable file makes its way into an infected system and runs, then the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. Interestingly though, as soon as it encrypts all targeted files, Phobos pops up a ransom note on the desktop, which is the ransomware executable file itself.

Phobos Ransomware distribution

Phobos has several ways to end up on your machine:

  • phishing emails with attachments
  • poorly secured RDP ports
  • fake updates
  • exploits
  • deceptive downloads
  • web injectors
  • repacked and infected installers

These distribution methods help attackers to steal victims’ information and encrypt the data by running Trojan or other malware. And a variety of the infected files is huge: documents, PDF and text files, databases, photos and videos, archives, etc. They can be located both in internal and external folders. Phobos gets rid of files’ shadow copies and backups.

Conclusion

Phobos is not a new type of ransomware, moreover, it has some similarities to Dharma. There is no need for criminals who use Phobos to be qualified specialists. Nevertheless, this ransomware always evolves, and its attacks are effective. It has a lot of ways to get into your device to get a ransom. That is why Phobos can be a serious threat to organizations.

HAVE A LOOK AT

Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More
BlackMatter screenshot
BlackMatter
blackmatter
BlackMatter is a ransomware strain operating as a Ransomware-as-a-Service (RaaS), designed to encrypt files, remove recovery options, and extort victims across critical industries. Emerging in 2021, it quickly became a major concern due to its ability to evade defenses, spread across networks, and cause large-scale operational disruption, forcing security teams to act against a highly destructive and persistent threat.
Read More
RedLine screenshot
RedLine
redline stealer redline stealer malware
RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.
Read More
Spynote screenshot
Spynote
spynote
SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.
Read More