RANSOMRESTORE
Back

Phobos Ransomware: Why SMBs Are the #1 Target

Your files now end in `.phobos`, `.deym`, `.mamba`, or `.phreud`. The ransom note demands payment in Bitcoin and lists a deadline. Phobos has been quietly devastating small and mid-sized businesses for years — it doesn't get the headlines LockBit gets, but it hits more SMBs than almost any other family. Here's what recovery actually looks like.

5 min read

What Is Phobos Ransomware?

Phobos is a ransomware family that has been active since late 2018. It doesn't make the news often because it doesn't target Fortune 500 companies or government agencies. It targets businesses that are too small to have a dedicated security team and too busy to update their VPN.

That's not an accident — it's the business model.

Key characteristics:

  • Relatively simple encryption implementation (AES + RSA), but effective enough
  • Relies heavily on exposed RDP and compromised VPN for initial access
  • Targets SMBs almost exclusively — law firms, accounting practices, small manufacturers, clinics
  • Ransom demands are typically lower than LockBit (USD 5,000-50,000), which makes businesses more likely to consider paying

Phobos is easily identifiable by its ransom note, typically an info.hta file that pops up a window with a countdown timer. The encrypted file names also usually include the attacker's email address and a unique ID (e.g., document.pdf.id[1A2B3C4D]-[hacker@email.com].phobos). If you see this naming pattern, you're dealing with Phobos.

The Variants

Phobos operators frequently rotate extension names, partly to avoid detection, partly to create the appearance of "new" variants:

Extension Period Notes
.phobos 2018+ Original, still common
.deym 2019 Slightly modified encryption routine
.mamba 2020 Renamed variant
.phreud 2021+ More recent builds
.actin, .acton 2022+ Active variants

The encryption core is similar across variants. What changes is the extension name and the ransom note formatting. Recovery approaches are largely the same regardless of which extension your files carry.

How Phobos Gets In

Phobos affiliates are not sophisticated operators. They don't use zero-days or custom malware. They use what works, and what works is remarkably simple:

1. Exposed RDP (the #1 entry vector). Port 3389, directly facing the internet. Automated scripts scan the entire internet for it, brute-force credentials, and are inside within hours. We see this exact pattern in the majority of Phobos cases we handle.

2. Stolen credentials from compromised personal devices. An employee's home laptop gets infected with a credential stealer. The stolen username and password are used to log into the office server via RDP. The employee never connects the two events — the home infection happened weeks earlier.

3. Unpatched VPN appliances. Same story as LockBit — a known vulnerability, a patch that exists but was never applied.

Phobos doesn't need to be clever. It needs businesses to leave the door unlocked. And most SMBs do.

Can Phobos-Encrypted Files Be Decrypted?

Phobos uses AES encryption with an RSA-2048 wrapped key — the same model as Locky and most modern ransomware. Without the private key, brute-force decryption is not viable.

Free decryptors: Check NoMoreRansom and Emsisoft for your specific variant. Some older Phobos builds have been covered after law enforcement operations, but current variants typically are not.

Professional forensic recovery looks for:

  • Shadow copies that survived deletion — Phobos attempts to delete them, but the deletion doesn't always complete, especially if the infection was interrupted
  • Key material from memory if the machine was hibernated before encryption finished
  • Partial encryption — files in the process of being encrypted when the machine was disconnected
  • Data carving from unallocated space, temp files, and alternative file locations

What determines recovery likelihood:

  • How fast you disconnected — catching Phobos mid-encryption dramatically improves outcomes
  • Whether shadow copies survived — this is the single biggest factor
  • The specific variant — older Phobos builds are better documented

What to Do Right Now If You Have Phobos

  1. Disconnect from the network immediately. Phobos can spread to mapped drives and network shares. Kill the connection.

  2. Hibernate or pull the power plug (for workstations). Don't leave it running — encryption continues. Don't do a normal shutdown — some variants delete shadow copies. Hibernate preserves RAM while stopping encryption. If you don't know how to hibernate a standard office computer, pull the power plug immediately. Stopping active destruction of your hard drive is more important than theoretical RAM forensics.

    ⚠️ CRITICAL WARNING FOR SERVERS: Phobos primarily enters through RDP — which means it often lands on servers first. If the infected machine is a live SQL/Database server (common in accounting or ERP systems), do NOT pull the power plug. Hard-crashing a database can cause irreversible corruption (.mdf/.ldf logical damage) that is harder to fix than the encryption itself. Instead, disconnect its network cables immediately and contact an incident response team to safely halt the services before shutting down.

  3. Check other machines on the network. Phobos often enters through one compromised machine and moves laterally. If one workstation is encrypted, assume others may be compromised even if they're not showing symptoms yet.

  4. Note the exact extension.phobos, .deym, .mamba, .phreud — tells us the variant.

  5. Try NoMoreRansom and Emsisoft — takes 10 minutes, free.

  6. If those fail — contact a professional recovery service for assessment.

For the full emergency checklist, see our ransomware emergency: 5 steps to take right now.

Real-World Phobos Recovery: What We've Seen

An accounting practice with 200+ active client files discovered Phobos encryption on a Friday at 4 PM. Tax season. The filing deadline was the following Tuesday.

The entry point: a senior accountant had been working from home. Her personal laptop was compromised by a credential stealer three weeks earlier — she never noticed. The stolen credentials were used to access the office server via RDP. The server had been accessed remotely like this for two years with no MFA.

217 client directories encrypted. Three clients with April 2nd submission deadlines.

We prioritized recovery by deadline: the three critical clients first. By Saturday afternoon, 87% of the critical files were recovered through forensic extraction. By Sunday, the second wave brought overall recovery to 94%. All three April 2nd submissions were filed on time.

Total cost: USD 10,900. They'd been quoted USD 60,000 by another firm before calling us.

The lesson: the RDP access with no MFA was the entry point. A USD 90/month monitoring service and a VPN would have prevented the entire incident.

(Full case study available on our Case Studies page.)

How to Prevent Phobos

Phobos is preventable. It relies on basic security failures, not sophisticated attacks.

On remote access (where Phobos starts):

  • Never expose RDP directly to the internet. This is the single most important thing you can do. Put it behind a VPN with MFA.
  • Change the default RDP port (3389). Doesn't stop sophisticated attackers but filters out the automated scans that find 90% of Phobos victims.
  • Account lockout after 5 failed attempts. Kills brute force attacks.

On credentials:

  • Separate personal and work devices. The credential stealer that led to the accounting firm breach came from a personal laptop used for both family browsing and work access.
  • Change passwords after any suspicious activity on personal devices used for work.

On backups:

  • One copy completely offline — not syncing, not connected to the same network as the server
  • Test restoration quarterly

(For the full prevention checklist, see our 9 ways to prevent ransomware.)

FAQ

Is Phobos still active? Yes. Phobos has been active for years and shows no signs of slowing. It doesn't get press coverage because it hits SMBs, not enterprises — but it's one of the most common ransomware families we see in incident response.

Why does Phobos target small businesses? Because it works. SMBs are more likely to have exposed RDP, less likely to have MFA, and less likely to detect the intrusion before encryption begins. Phobos operators are opportunistic — they go where the defenses are weakest.

Can Phobos be removed without losing files? Yes. Removing the malware is separate from decrypting files. But removal alone doesn't get your data back — you still need to decrypt or recover the encrypted files.

Does Phobos steal data? Some Phobos affiliates do exfiltrate data before encryption, but it's less consistent than LockBit's double extortion model. Don't assume your data is safe just because you recovered the files — check for evidence of data transfer in your network logs.

How long does Phobos take to encrypt a full machine? Slower than LockBit — typically 1-3 hours on a business workstation. This is actually an advantage: if you catch it early and disconnect, you can limit the damage significantly.

Dealing with Phobos-encrypted files right now?

Tell us your extension variant and we'll tell you what recovery options exist — free assessment, no commitment. We have successfully resolved over 1,000+ ransomware cases. Our approach combines proprietary decryption tools, forensic data carving, and deep variant analysis to recover data without paying hackers whenever technically possible.

In most cases, we respond within 3 hours.

RANSOMRESTORE

Remote ransomware recovery, digital forensics, and incident response.

Services

  • Emergency Breach Response
  • Ransomware Response & Recovery
  • Penetration Testing

Emergency Contact

Terms of Service|Privacy Policy
© 2026 Lyncore Intelligent Technology Limited (Operating as Ransomrestore). All rights reserved.