{
	"id": "e2f93f5e-5faa-4d33-95ab-86db5a8419a6",
	"created_at": "2026-04-06T00:06:38.517814Z",
	"updated_at": "2026-04-10T13:12:27.029105Z",
	"deleted_at": null,
	"sha1_hash": "77a07524e8468471c062b1f747cd21f1d6c7c648",
	"title": "Cyber threat advisory | Phobos ransomware launches new leak site and pivots towards double extortion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 94872,
	"plain_text": "Cyber threat advisory | Phobos ransomware launches new leak site\r\nand pivots towards double extortion\r\nBy Melissa DeOrio, Frank de Korte, Charlie Walker-Arnott\r\nPublished: 2024-05-21 · Archived: 2026-04-05 13:00:17 UTC\r\nIn April 2024, S-RM’s Cyber Threat Intelligence team identified a Faust operator, an affiliate of the Phobos\r\nransomware-as-a-service group, utilising a new leak site, titled ‘Space Bears’, to extort a victim for a ransom\r\npayment. The emergence of the site follows other observations of Faust operators using the 8Base leak site as a\r\nplace to post victim data. The discovery of the new site showcases Phobos ransomware teams’ pivot toward data-theft and double-extortion to monetise their business.\r\nPhobos operations\r\nSince May 2018, the Phobos ransomware operation has amassed victims across the planet. It has historically\r\ntargeted small to medium sized companies, often finding a foothold in an organization through unprotected or\r\npoorly protected Remote Desktop Protocol systems. A variant of the once-prevalent Dharma locker, Phobos locker\r\nis deployed under a Ransomware-as-a-Service (RaaS) operation, with versions of the malware being licenced out\r\nto separate teams, extort victims, and give the RaaS operators a cut of the profits. Some of the biggest names\r\namong these disparate teams, as identified by the extension on locked files, are the Faust, BlackRock and Devos\r\ngroups.\r\nIn recent years, Phobos attacks have been characterised by two quirks rarely seen among modern day ransomware\r\ngroups.\r\n1. Per-system extortion approach: a new victim finds their files locked, with an email address and a unique-per- system ID appended to the filename. The ransom demand then depends on the total number of unique\r\nIDs provided. If a victim only needs to unlock one system, they receive a lower ransom demand, typically\r\nbetween USD 10,000 and USD 20,000. But unlocking more systems means paying more money.\r\n2. Historic disavowal of “double-extortion”: despite the tactic (threatening to publish stolen data as a\r\nsecond method of putting pressure on a victim) being de rigueur for years among big ransomware groups,\r\nPhobos has historically avoided the approach. In June 2023, an S-RM client even received the following\r\nassurance from the Faust team: “Your data is safe. We have not, and never do take data. You need not\r\nworry”. Phobos victims could at least find some comfort knowing that, whatever other havoc the group had\r\nwreaked on their systems, they need not worry about data publication.\r\nDespite these historical differentiators, since late 2023 Phobos operators have changed their habits and launched\r\nthemselves into data extortion.\r\nNew leak site in Cy-Bear Space\r\nhttps://www.s-rminform.com/latest-insights/cyber-threat-advisory-phobos-ransomware-launches-new-leak-site-and-pivots-towards-extortion\r\nPage 1 of 3\n\nS-RM has recently seen data obtained by the Faust team appear on the leak site of 8Base, a ransomware group\r\nwhose activity began ramping up in mid-2023. Intelligence gathered surrounding the 8Base operations reveal that\r\ntheir site appears to be a ‘leak site for hire’, next to their own ransomware deployments, where other groups can\r\n‘partner’ up with the organisation to host their stolen data for double extortion purposes. Other Incident Response\r\nparties have identified that data exfiltrated from a Phobos attack, locking files with the “.8base” extension, have\r\nlater ended up on 8Base’s site.\r\nFollowing this, in February 2024 the US Cybersecurity and Infrastructure Security Agency (CISA) published a\r\nJoint Cybersecurity Advisory piece1 on Phobos’ current operations, which signalled a move into double extortion\r\nfor the first time. This advisory reported that various contributors had seen Phobos exfiltrating data, using tools\r\nsuch as MegaSync to upload data to an external cloud service.\r\nSpace Bears\r\nBeginning in April 2024, S-RM has encountered the Faust operator sharing stolen data on a new leak site. This\r\nleak site is hosted on an Onion URL and uses the title ‘Space Bears’ (see Figure 1). While intelligence gathered\r\nsuggest that other Phobos teams use this leak site to host the stolen data, it remains to be seen whether this is now\r\nthe exclusive data leak site for the Phobos teams’ operation. But what is clear is that the Phobos operation and the\r\nFaust team especially has moved firmly into the realm of double extortion.\r\nFigure 1: Space Bears leak site logo.\r\nAt the time of writing, the leak site mentions 8 victims, with some posts already hosting stolen data.\r\nSo what?\r\nThe Phobos operation moving into double-extortion is a continuation of a trend: the encryption-only business\r\nmodel is over. Increasingly, ransomware groups have been more focused on data exfiltration than actual\r\nencryption as the primary method of extortion due to a high viability of payouts for stolen data. Organisations\r\nhave become better at managing their backups, allowing them to recover in full after a devasting ransomware\r\nattack. It is likely that Phobos saw their success rates fall the last few years and made a choice to pivot into data\r\nexfiltration to continue earning money from their attacks.\r\nThis does mean that in cases where Phobos uses data exfiltration, victims may need to consider the implications of\r\nhaving their data accessed or stolen. Combined with the rise of criminal groups like Karakurt and BianLian\r\nperforming data theft only as the primary extortion factor, organisations should take extra care to manage their\r\nhttps://www.s-rminform.com/latest-insights/cyber-threat-advisory-phobos-ransomware-launches-new-leak-site-and-pivots-towards-extortion\r\nPage 2 of 3\n\nsensitive data as well as their perimeter, to avert getting ransomed in the first place, but also to avoid having to pay\r\na ransom.\r\nProtection\r\nThe heightened focus on data theft across the ransomware ecosystem requires organisations to prioritise securing\r\nsensitive data to limit business impacts following an incident involving data-loss. Organisations can implement\r\nseveral measures to protect themselves against the impact of data theft. We recommend the following be\r\nimplemented:\r\nEncrypt sensitive data in transit and at rest to prevent unauthorised access, in the event that sensitive data is\r\nintercepted by a third party.\r\nImplement strong Data Governance policies. Often organisations are not aware of the amount of data still\r\navailable within their estate, especially years-old (ex-)employee records and sensitive personal identifiable\r\ninformation. Periodically deleting stale data according to a sensible data retention policy reduces the\r\nprivacy impact that can occur from data theft.\r\nRegularly scan and monitor public-facing interfaces. Often Remote Desktop Protocol ports are opened by\r\naccident or misconfigurations, resulting in these far-reaching consequences. Quickly identifying these gaps\r\nwill allow organisations to respond in time to this threat.\r\nImplement an Endpoint Detection and Response (EDR) solution across the estate. An EDR will help\r\norganisations with timely detection of malicious activity on systems, allowing for rapid response to prevent\r\nlarger impact.\r\nPlease do not hesitate to contact S-RM if you have any questions on this development.\r\nSource: https://www.s-rminform.com/latest-insights/cyber-threat-advisory-phobos-ransomware-launches-new-leak-site-and-pivots-towards-ext\r\nortion\r\nhttps://www.s-rminform.com/latest-insights/cyber-threat-advisory-phobos-ransomware-launches-new-leak-site-and-pivots-towards-extortion\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.s-rminform.com/latest-insights/cyber-threat-advisory-phobos-ransomware-launches-new-leak-site-and-pivots-towards-extortion"
	],
	"report_names": [
		"cyber-threat-advisory-phobos-ransomware-launches-new-leak-site-and-pivots-towards-extortion"
	],
	"threat_actors": [
		{
			"id": "6ad410c7-e291-4327-a54b-281c23f0d4fa",
			"created_at": "2022-10-25T16:07:24.501468Z",
			"updated_at": "2026-04-10T02:00:05.013427Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Mushy Scorpius"
			],
			"source_name": "ETDA:Karakurt",
			"tools": [
				"7-Zip",
				"Agentemis",
				"AnyDesk",
				"Cobalt Strike",
				"CobaltStrike",
				"FileZilla",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"WinZip",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24",
			"created_at": "2022-10-25T16:47:55.853415Z",
			"updated_at": "2026-04-10T02:00:03.856263Z",
			"deleted_at": null,
			"main_name": "GOLD TOMAHAWK",
			"aliases": [
				"Karakurt",
				"Karakurt Lair",
				"Karakurt Team"
			],
			"source_name": "Secureworks:GOLD TOMAHAWK",
			"tools": [
				"7-Zip",
				"AnyDesk",
				"Mega",
				"QuickPacket",
				"Rclone",
				"SendGB"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "079e3d6e-24ef-42b0-b555-75c288f9efd8",
			"created_at": "2023-03-04T02:01:54.105946Z",
			"updated_at": "2026-04-10T02:00:03.359009Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Karakurt Lair"
			],
			"source_name": "MISPGALAXY:Karakurt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433998,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/77a07524e8468471c062b1f747cd21f1d6c7c648.pdf",
		"text": "https://archive.orkl.eu/77a07524e8468471c062b1f747cd21f1d6c7c648.txt",
		"img": "https://archive.orkl.eu/77a07524e8468471c062b1f747cd21f1d6c7c648.jpg"
	}
}