Ransomware
Phobos
aka Dharma successor · 8Base (affiliate) · Elking · Eight
A widely deployed ransomware-as-a-service derived from Dharma/CrySiS, favoured by lower-tier crews targeting small businesses via exposed RDP.
Phobos is a prolific ransomware-as-a-service descended from the Dharma/CrySiS lineage. Active since late 2018, it's the workhorse of many lower-tier crews — including 8Base — that target small and mid-sized businesses, typically by brute-forcing or buying access to exposed RDP.
Profile
Phobos isn't flashy: it deletes shadow copies, tampers with the firewall, and encrypts with AES, appending a contact ID and email to filenames. Its broad affiliate use makes it one of the most frequently encountered ransomware families in incident response.
Defense
Lock down RDP (VPN + MFA, no internet exposure), enforce strong credentials, and keep offline backups. Campaigns are tracked on Cyber Breaches; a variant analysis lives on the Reverse Engineering Hub.