Phobos Ransomware Group

Actor Type	Criminal Group

According to public reporting, Phobos ransomware has been observed since at least 2019, with researchers also linking the group to the Dharma ransomware. Reporting suggests that the group uses a Ransomware-as-a-Service (RAAS) model, with affiliates responsible for deploying the ransomware in victim environments.

Victims of Phobos have included local and regional government, public services, healthcare and critical infrastructure.

Cyber Threat Graph Context

Explore how this Intrusion Set relates to the wider threat graph

Phobos Ransomware Group Threat Reports

Report

StopRansomware: Phobos Ransomware

This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...

View Source

References

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use by this intrusion set.

Search:

ATT&CK ID	Title	Associated Tactics
T1555	Credentials from Password Stores	Credential Access
T1562	Impair Defenses	Defense Evasion
T1027.002	Software Packing	Defense Evasion
T1001.003	Protocol Impersonation	Command and Control
T1562.004	Disable or Modify System Firewall	Defense Evasion
T1204.002	Malicious File	Execution
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1219	Remote Access Software	Command and Control
T1567.002	Exfiltration to Cloud Storage	Exfiltration
T1110	Brute Force	Credential Access
T1560	Archive Collected Data	Collection
T1059.003	Windows Command Shell	Execution
T1082	System Information Discovery	Discovery
T1140	Deobfuscate/Decode Files or Information	Defense Evasion
T1055.004	Asynchronous Procedure Call	Defense Evasion, Privilege Escalation
T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation
T1588.002	Tool	Resource Development
T1133	External Remote Services	Initial Access, Persistence
T1657	Financial Theft	Impact
T1490	Inhibit System Recovery	Impact
T1105	Ingress Tool Transfer	Command and Control
T1486	Data Encrypted for Impact	Impact
T1057	Process Discovery	Discovery
T1027.009	Embedded Payloads	Defense Evasion
T1055.002	Portable Executable Injection	Defense Evasion, Privilege Escalation
T1106	Native API	Execution
T1555.003	Credentials from Web Browsers	Credential Access
T1595.001	Scanning IP Blocks	Reconnaissance
T1134.002	Create Process with Token	Defense Evasion, Privilege Escalation
T1218.005	Mshta	Defense Evasion
T1566.001	Spearphishing Attachment	Initial Access
T1003.005	Cached Domain Credentials	Credential Access
T1083	File and Directory Discovery	Discovery
T1047	Windows Management Instrumentation	Execution
T1134.001	Token Impersonation/Theft	Defense Evasion, Privilege Escalation
T1087.002	Domain Account	Discovery
T1555.005	Password Managers	Credential Access
T1003.001	LSASS Memory	Credential Access
T1593	Search Open Websites/Domains	Reconnaissance
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1598	Phishing for Information	Reconnaissance
T1585	Establish Accounts	Resource Development
T1071.002	File Transfer Protocols	Command and Control

Showing 1 to 43 of 43 entries

Phobos Ransomware Group

Cyber Threat Graph Context

Phobos Ransomware Group Threat Reports

StopRansomware: Phobos Ransomware

References

malpedia.caad.fkie.fraunhofer.de

www.cisa.gov

www.lemonde.fr

www.malwarebytes.com

blog.talosintelligence.com

blog.talosintelligence.com

MITRE ATT&CK Techniques