Russian national in US custody in Phobos ransomware investigation

Avatar

An alleged administrator of the Phobos ransomware-as-a-service operation is in U.S. custody and faces 13 criminal charges, the Department of Justice said Monday.

Russian national Evgenii Ptitsyn, 42, was recently extradited from South Korea and appeared in Maryland federal court on November 4, the DOJ said in a news release.

The indictment of Ptitsyn includes charges of wire fraud, causing intentional damage to protected computers and extortion in relation to hacking. Further details about his arrest and extradition weren’t available Monday.

The Phobos operation has collected about $16 million in ransom payments from more than 1,000 targets around the world, prosecutors said, earning a warning from federal law enforcement in February.

Administrators sold access to Phobos on a dark web site, advertising it in cybercrime forums and through messaging services, while amassing a network of affiliates who often used the ransomware against small businesses and similar targets. 

Phobos affiliates are often less technically adept than members of higher-profile ransomware gangs such as Clop or Black Basta, cybersecurity researchers said, and are known for using “spray and pray” methods, in which an attacker aims ransomware at multiple potential targets, hoping for an infection. 

The ransom demands are relatively small, too — less than $2,000 in many cases — making it more likely a victim might pay up and move on. Other cybercrime groups, including 8Base, have been known to use Phobos

At the top, though, Phobos administrators have kept a close watch on how customers are doing, prosecutors said.

“Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate,” the DOJ said. “From December 2021 to April 2024, the decryption key fees were then transferred from the unique affiliate cryptocurrency wallet to a wallet controlled by Ptitsyn.”

Ptitsyn allegedly used the monikers “derxan” and “zimmermanx” at times in cybercrime circles, prosecutors said. He potentially faces a long prison sentence if convicted: “20 years in prison for each wire fraud count; 10 years in prison for each computer hacking count; and five years in prison for conspiracy to commit computer fraud and abuse,” the DOJ said.

Recent Phobos targets included hospitals in Romania, and the U.S. law enforcement alert mentioned attacks against “municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities.”

Researcher Alexander Leslie of Recorded Future noted on social media that the company had noticed “a significant drop” in Phobos activity recently. “We have an explanation,” he said, pointing to Ptitsyn’s arrest. The Record is an editorially independent operation of Recorded Future.

Federal law enforcement agencies have made ransomware a priority in recent years. Four members of the REvil gang received prison sentences in October, and. anAn alleged member of the Karakurt group was charged in August. The FBI announced the takedown of the Radar/Dispossessor operation in August.

NewsCybercrime
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. He previously he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.

 

Total
0
Shares
Previous Post

New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers

Next Post

Heather ‘Razzlekhan’ Morgan sentenced to 18 months in prison, ending Bitfinex saga

Related Posts

Ultralytics AI Library Compromised: Cryptocurrency Miner Found in PyPI Versions

In yet another software supply chain attack, it has come to light that two versions of a popular Python artificial intelligence (AI) library named ultralytics were compromised to deliver a cryptocurrency miner. The versions, 8.3.41 and 8.3.42, have since been removed from the Python Package Index (PyPI) repository. A subsequently released version has introduced a security fix that "ensures
Avatar
Read More

Critical Flaws in Ollama AI Framework Could Enable DoS, Model Theft, and Poisoning

Cybersecurity researchers have disclosed six security flaws in the Ollama artificial intelligence (AI) framework that could be exploited by a malicious actor to perform various actions, including denial-of-service, model poisoning, and model theft. "Collectively, the vulnerabilities could allow an attacker to carry out a wide-range of malicious actions with a single HTTP request, including
Avatar
Read More