Menu
Browse

Cyber Threat Actor: PHOBOS

Actor Type Location Known Incidents
 Icon
Crime Syndicate
Russia
3 incidents
Profile

Phobos, also tracked as PHOBOS, is a ransomware‑focused threat actor that has been publicly linked to operations originating from Russia. The group employs the Phobos ransomware family, including variants such as Faust, to encrypt victim systems and demand payment in bitcoin for decryption keys. Observed targeting spans municipal administrations, private sector corporations that provide tax and financial management software, and healthcare institutions, indicating a pattern of exploiting entities that manage critical public or financial data. The actor’s stated objective in each reported incident is financial gain through ransom extortion, with no public indication of espionage or ideological motives.

Initial access to victim networks has been consistently associated with exposed Remote Desktop Protocol services, as highlighted in the infection of the Clinical Hospital in Bucharest where RDP connections were exploited to deploy the ransomware. The malware itself is described as having a medium level of complexity and is capable of encrypting files across compromised servers while leaving some operational functions available through offline workarounds. Beyond the use of ransomware payloads, the actor’s tooling includes the demand for cryptocurrency payments and the reliance on victims’ backup restoration efforts, as seen in the manual recovery processes undertaken by the municipal IT team in Itu. No additional tools, frameworks, or post‑exploitation utilities have been detailed in the available sources.

Reported operations illustrate the actor’s reach and methodology: in August 2024, Phobos struck the municipal systems of Itu near São Paulo, deploying the Faust variant to disrupt citizen‑facing services while the main website remained online, prompting a recovery effort involving local officials and infrastructure vendors. In December 2022, the Italian firm Advanced Systems disclosed a Phobos ransomware incident that affected corporate servers supporting public sector tax collection, leading to an internal task force assisted by the cyber incident management company SWASCAN and formal notifications to data protection authorities. Earlier, in July 2024, the Clinical Hospital No. 1 CF Witting in Bucharest experienced a Phobos infection that encrypted hospital servers, with attackers demanding an unpaid ransom and the institution maintaining operations through offline registers, a scenario reminiscent of earlier 2019 attacks on other Romanian hospitals linked to insufficient antivirus defenses. These examples confirm the actor’s reliance on ransomware for financial profit and its repeated exploitation of remote access weaknesses across diverse sectors.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
2 sources