{
	"id": "4ca07a6c-eb69-46d0-8c9f-ec008772a1c9",
	"created_at": "2026-04-06T00:07:07.605506Z",
	"updated_at": "2026-04-10T03:24:29.186069Z",
	"deleted_at": null,
	"sha1_hash": "d4a37a91d6c8a3765a333417dd8911ddd0087576",
	"title": "Phobos Ransomware, A Combo Of CrySiS \u0026 Dharma",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66637,
	"plain_text": "Phobos Ransomware, A Combo Of CrySiS \u0026 Dharma\r\nBy Bill Siegel\r\nPublished: 2019-01-18 · Archived: 2026-04-05 15:54:24 UTC\r\nUpdated 01/29/2019\r\nWe are researching the possibility that the primary distribution group behind Phobos may have been disrupted by\r\nthe recent xDedic takedown. At approximately the same time that xDedic was taken down, all known email\r\naddresses associated with Phobos attacks became disabled and inbound emails bounced.  We are unsure at this\r\ntime if the ransomware distributors themselves disabled their accounts, or if their email hosting provider disabled\r\nthe accounts as part of the law enforcement action.  We will further update this post as we learn more.\r\nOriginal Phobos Post below:\r\nA new strain of ransomware has been impacting businesses globally since mid December.  The ransomware,\r\ndubbed Phobos by the distributors (possibly after the greek god of fear), shares both technical and operational\r\nsimilarities to several recent Dharma variants.  The attack vectors being leveraged by Phobos distributors are well\r\nworn, open or weakly secured RDP ports. As usual, the attacks are exacerbated when companies either have no\r\nbackups, or have not properly partitioned them from the network with strong administrative controls.  \r\nRebranded Dharma Ransom Note and Same Encrypted File Extension Format\r\nMost ransomware leaves behind an obvious ransom note so that the victim can find it and contact the hacker.\r\nTypically, these notes vary significantly depending upon the ransomware strain. However, both Dharma and\r\nPhobos use the same ransom note. The only observable difference is that Phobos added a bit of branding to the top\r\nand bottom as seen in the below image.\r\nOther than that, the text and composition is identical.  The encrypted file name format is also the same as Dharma\r\nvariants. It is constructed by concatenating the original file name, a unique ID number, hacker email, and the\r\n.phobos file extension.\r\nEmails Offer Security Advice when Paying for Decryption Keys\r\nWhen a victim of ransomware contacts the email address in the ransom notice to negotiate, the first response\r\nelicited is often a cut and paste standard response. The first response from Phobos is a verbatim match to first\r\nresponses of several Dharma variants including .bip, .gamma, and .adobe.  This group’s first responses are unique\r\nin that they offer a friendly ‘upsell’, in addition to extorting the victim for safe decryption of data.\r\n“we also offer service to you. full of advice for protecting against attacks? - the price of 0.1 BTC, and\r\nremember our work is very hard. and it requires a lot of time and costs.”\r\nhttps://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew\r\nPage 1 of 2\n\nThe above phrase is at the end of the first response email, and offers security advice for the low low price of 0.1\r\nBTC.  This phrase has been consistent across Dharma variants and Phobos. To our knowledge, no one has taken\r\nthem up on this generous offer.  \r\nTechnically, Phobos Ransomware is only Slightly Different from Dharma\r\nTopically, Phobos appears to a largely cut+paste variant of Dharma.. However, from a technical perspective,\r\nPhobos carries some subtle differences from active Dharma variants. Both type of ransomware draw their lines\r\nfrom the CySis ransomware family and commonly used AV software will identify a Phobos executable sample as\r\nCrySis. The differences observed in a  recent analysis by @Demonslay335 note that the file marker structure of\r\nPhobos is significantly different from Dharma variants. What is clear is that while the ransomware type may be\r\ndifferent, the group distributing Phobos, the exploit methods, ransom notes and communications remain the nearly\r\nidentical to Dharma.\r\nSource: https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew\r\nhttps://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew"
	],
	"report_names": [
		"phobos-ransomware-distributed-dharma-crew"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434027,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d4a37a91d6c8a3765a333417dd8911ddd0087576.pdf",
		"text": "https://archive.orkl.eu/d4a37a91d6c8a3765a333417dd8911ddd0087576.txt",
		"img": "https://archive.orkl.eu/d4a37a91d6c8a3765a333417dd8911ddd0087576.jpg"
	}
}