Phobos
Phobos is a ransomware-as-a-service group known for targeting small and medium enterprises; one of at least 25 gangs that used First VPN before the Operation Saffron takedown.
Last refreshed: 7 June 2026 · Appears in 1 active topic
How far did Operation Saffron actually set back Phobos ransomware operations?
Timeline for Phobos
Used First VPN to anonymise ransomware gang operations before the takedown
Cybersecurity: Threats and Defences: Europol seizes First VPN in Saffron raid- What is Phobos ransomware and who does it target?
- Phobos is a ransomware-as-a-service group active since 2019, derived from Dharma ransomware. It targets small and medium enterprises, local governments, healthcare clinics and schools using a high-volume, lower-ransom model. Compromised Remote Desktop Protocol (RDP) access is its primary initial access vector. CISA and the FBI issued a joint advisory on Phobos's healthcare targeting in February 2024.Source: CISA/FBI/HHS joint advisory AA24-060A, February 2024
- Was Phobos ransomware shut down in Operation Saffron?
- Phobos was not shut down, but it was disrupted. Operation Saffron (Europol, 21 May 2026) seized 33 servers hosting First VPN, an anonymisation service Phobos used for operational security. Prior takedown patterns suggest affiliates typically migrate to alternative infrastructure within two to four weeks; no arrest of Phobos operators was announced.Source: Europol Operation Saffron press release, RUSI analysis
- How does Phobos ransomware encrypt files and demand ransom?
- Phobos uses AES-256 encryption with RSA-1024 public-key protection for the decryption key. Encrypted files receive a distinctive extension including a victim ID and email contact. Ransom demands are delivered via email and may be relatively low (hundreds to thousands of dollars) compared to enterprise-targeted groups. Phobos does not operate a public leak site.Source: CISA/FBI/HHS advisory AA24-060A
Background
Phobos is a ransomware-as-a-service group that emerged in 2019, widely believed to be a derivative of Dharma ransomware, sharing code lineage and operational patterns. Phobos targets small and medium enterprises, local governments, healthcare clinics and schools, sectors with limited in-house security capability and high operational dependency on accessible data. Unlike high-profile groups that chase large ransoms from enterprise targets, Phobos affiliates run a high-volume, lower-ransom model, charging hundreds to tens of thousands of dollars per victim and operating numerous simultaneous campaigns. The US Cybersecurity and Infrastructure Security Agency (CISA), FBI and HHS issued a joint advisory on Phobos in February 2024, documenting its systematic targeting of US healthcare and government entities and its use of compromised Remote Desktop Protocol (RDP) access as the primary initial access vector.
Phobos was one of at least 25 ransomware gangs named by Europol as users of First VPN, the criminal anonymisation service dismantled in Operation Saffron on 21 May 2026. The seizure of 33 servers across 27 countries stripped Phobos and co-dependent gangs of a shared operational-security layer used to mask command-and-control and victim-communication traffic. Based on prior takedown timelines (VPNLab.net reconstituted affiliates within two to four weeks), Phobos operations face a temporary disruption while affiliates migrate to alternative bulletproof hosts rather than a permanent shutdown.
Phobos does not operate a public leak site, distinguishing it from double-extortion groups that use public data publication as leverage. Its sustained volume against under-resourced targets makes it a persistent mid-tier threat even as higher-profile groups dominate ransomware headlines. The Operation Saffron disruption may temporarily reduce campaign frequency and introduce operational-security errors during the infrastructure transition period, creating a short window for remediation at previously targeted organisations.