Defense Evasion
- Defender Control
Space Bears is a ransomware and data-extortion threat actor that emerged in April 2024 and operates a dedicated leak site to pressure victims into payment.
Profile source: Mallory opens in a new tabSpace Bears
Space Bears is a ransomware and data-extortion threat actor that emerged in April 2024 and operates a dedicated leak site to pressure victims into payment. The group is associated by multiple security researchers with the Phobos ransomware-as-a-service ecosystem and appears to use a double-extortion model in which data theft is central, with encryption used in at least some intrusions. Its operations emphasize public shaming, countdown-based leak threats, and the sale or publication of stolen data when victims do not comply.
Space Bears has targeted organizations across multiple regions, including Europe, Latin America, the Middle East, Asia-Pacific, and Australia. Reported victims span telecommunications, managed services, business services, manufacturing-adjacent firms, and other enterprise sectors. Observed victimology includes telecommunications providers and contractors, service providers, and companies holding customer, employee, financial, technical, or operational data.
The group’s leak-site claims and incident reporting indicate a focus on exfiltrating sensitive business information such as SQL databases, personal information, financial documents, technical documentation, production configuration data, and client or partner records. In some cases, Space Bears has claimed access through third-party or contractor relationships, indicating opportunistic supply-chain or downstream extortion targeting. Public reporting also describes the actor as sometimes prioritizing theft-and-extortion over pure encryption-led disruption.
Space Bears is tracked under the aliases spacebears and space_bears. It is best understood as a financially motivated cybercriminal ransomware operation rather than a nation-state actor. High-confidence reporting links it to the broader Phobos affiliate ecosystem, but publicly available information does not establish a specific state sponsor, core operator identity, or confirmed sub-group structure.
Ransomware.live
Ransomware.live
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.