Polish police detain alleged cybercriminal with Phobos ransomware ties

A 47-year-old man was arrested in Poland for his alleged involvement with the Phobos ransomware operation. 

Poland’s Central Bureau for Combating Cybercrime said the man was detained in the southern Małopolska region of the country in an operation coordinated by police in the cities of Katowice and Kielce. 

The man, who was not named, is now facing a prison sentence of up to five years for his involvement in cybercrime. 

During the raid, officers searched the man’s computer and found encrypted messages with members of the Phobos group — a focus of Europol’s Operation Aether. 

Polish police officials said the regional operation has involved the arrest of both back-end developers of the Phobos ransomware as well as operators and affiliates who conducted the attacks and encrypted victim systems. 

Phobos was a ransomware gang that attacked more than 1,000 organizations worldwide, targeting hospitals, schools, government agencies and more. U.S. prosecutors previously said operators of Phobos and a related strain called 8Base collected upwards of $16 million from victims worldwide dating back to 2019.

U.S. authorities warned in February 2024 that Phobos attacks were impacting state, local, tribal and territorial governments — damaging “municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.”

The spinoff operation named 8Base ramped up its activity in the summer of 2023 and the group claimed responsibility for high-profile attacks on the United Nations Development Programme and the Atlantic States Marine Fisheries Commission as well as a Canadian agency that administers dental benefit plans for disabled people in Alberta.

Phobos is known for accepting significantly smaller ransoms from attacks than other groups, including several under $100,000.

“Key elements of this pressure included the extradition of the alleged Phobos administrator to the US and coordinated arrests in Europe and beyond, combined with technical measures targeting the cybercriminal infrastructure,” Polish officials said in a statement, referencing arrested Russian national Evgenii Ptitsyn. 

Ptitsyn was extradited to the U.S. from South Korea in 2024 and multiple other members of Phobos are now facing charges. 

As part of Operation Aether, two men and two women were arrested after raids in Phuket, Thailand. The FBI, alongside law enforcement agencies in Germany, Japan and more, took down more than 100 servers used as part of the Phobos scheme and warned more than 400 companies worldwide of ongoing or imminent ransomware attacks.

Following the Thai raids, the U.S. Department of Justice unsealed an array of criminal charges against Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, for their alleged roles in Phobos.

Last July, Japanese officials published a free Phobos ransomware decryption tool and a guide in English for organizations impacted by the group’s attacks.

The indictment of Ptitsyn revealed significant information about the group’s inner workings and victims, which include:

• The California public school system, which paid the $300,000 ransom in the summer of 2023
• A Maryland-based company that provided accounting and consulting services to federal agencies. It paid a $12,000 ransom in early 2021
• A Pennsylvania healthcare organization that paid $20,000 in the spring of 2022
• An Illinois-based contractor for the U.S. departments of Defense and Energy
• Maryland healthcare organizations that paid ransoms of $25,000 and $37,000 in the summer of 2022
• A New York-based law enforcement union and a federally recognized tribe in the summer of 2022
• A Connecticut public school system in the summer of 2023, which did not pay a ransom
• A North Carolina children’s hospital in the fall of 2023, which paid $100,000