Russian national in US custody in Phobos ransomware investigation

An alleged administrator of the Phobos ransomware-as-a-service operation is in U.S. custody and faces 13 criminal charges, the Department of Justice said Monday.

Russian national Evgenii Ptitsyn, 42, was recently extradited from South Korea and appeared in Maryland federal court on November 4, the DOJ said in a news release.

The indictment of Ptitsyn includes charges of wire fraud, causing intentional damage to protected computers and extortion in relation to hacking. Further details about his arrest and extradition weren’t available Monday.

The Phobos operation has collected about $16 million in ransom payments from more than 1,000 targets around the world, prosecutors said, earning a warning from federal law enforcement in February.

Administrators sold access to Phobos on a dark web site, advertising it in cybercrime forums and through messaging services, while amassing a network of affiliates who often used the ransomware against small businesses and similar targets. 

Phobos affiliates are often less technically adept than members of higher-profile ransomware gangs such as Clop or Black Basta, cybersecurity researchers said, and are known for using “spray and pray” methods, in which an attacker aims ransomware at multiple potential targets, hoping for an infection. 

The ransom demands are relatively small, too — less than $2,000 in many cases — making it more likely a victim might pay up and move on. Other cybercrime groups, including 8Base, have been known to use Phobos. 

At the top, though, Phobos administrators have kept a close watch on how customers are doing, prosecutors said.

“Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate,” the DOJ said. “From December 2021 to April 2024, the decryption key fees were then transferred from the unique affiliate cryptocurrency wallet to a wallet controlled by Ptitsyn.”

Ptitsyn allegedly used the monikers “derxan” and “zimmermanx” at times in cybercrime circles, prosecutors said. He potentially faces a long prison sentence if convicted: “20 years in prison for each wire fraud count; 10 years in prison for each computer hacking count; and five years in prison for conspiracy to commit computer fraud and abuse,” the DOJ said.

Recent Phobos targets included hospitals in Romania, and the U.S. law enforcement alert mentioned attacks against “municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities.”

Researcher Alexander Leslie of Recorded Future noted on social media that the company had noticed “a significant drop” in Phobos activity recently. “We have an explanation,” he said, pointing to Ptitsyn’s arrest. The Record is an editorially independent operation of Recorded Future.

Federal law enforcement agencies have made ransomware a priority in recent years. Four members of the REvil gang received prison sentences in October, and. An alleged member of the Karakurt group was charged in August. The FBI announced the takedown of the Radar/Dispossessor operation in August.