MalwareRansomware

Crysis

Crysis is a ransomware family referenced in the provided content as a notable predecessor and point of lineage for later ransomware operations. The content explicitly states that Phobos is a ransomware-as-a-service operation derived from the Crysis ransomware family, and also groups Crysis together with Dharma and Phobos in reporting on ransomware threats observed during holiday periods. Crysis is further cited as one of several ransomware families whose master decryption keys were released after shutdown, alongside TeslaCrypt and Shade. Based on the provided material, high-confidence attributes are that Crysis is ransomware, it is associated by lineage with Phobos, and it is commonly referenced in the combined naming convention Crysis/Dharma/Phobos. The content does not provide specific infection vectors, technical behavior, targeted sectors, platforms, or indicators of compromise for Crysis itself.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique

T1486Data Encrypted for ImpactEvidence1

"Phobos, a ransomware-as-a-service operation derived from the Crysis ransomware family, has been linked to over 1,000 breaches worldwide"

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

scworldNews

Feb 18, 2026

Polish police detain suspect linked to Phobos ransomware group | SC Media

Ransomware family referenced as the lineage/source family from which Phobos is derived.

comodo blogNews

Dec 21, 2021

All I Want for Christmas Is Ransomware

Ransomware family/lineage referenced via the Crysis/Dharma/Phobos naming cluster as a common holiday-season threat.

bleeping computerNews

Nov 2, 2020

Maze ransomware shuts down operations, denies creating cartel

Ransomware referenced as an example of a group releasing master decryption keys upon shutdown.

bleeping computerNews

Oct 29, 2020

Maze ransomware is shutting down its cybercrime operation

Ransomware referenced as an example where master decryption keys were released upon shutdown.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.