Phobos ransomware administrator faces US cybercrime charges

The Justice Department unsealed criminal charges against Evgenii Ptitsyn, 42, a Russian national, for allegedly administering the sale, distribution, and operation of Phobos ransomware.

Ptitsyn made his initial appearance in the US District Court for the District of Maryland on Nov. 4 after being extradited from South Korea. Phobos ransomware, through its affiliates, victimized more than 1,000 public and private entities in the United States and around the world, and extorted ransom payments worth more than $16 million dollars.

Phobos ransomware used in international hacking and extortion scheme

As alleged in the indictment, beginning in at least November 2020, Ptitsyn and others conspired to engage in an international computer hacking and extortion scheme that victimized public and private entities through the deployment of Phobos ransomware.

As part of the scheme, Ptitsyn and his co-conspirators allegedly developed and sold access to Phobos ransomware on the darknet. They used online monikers to advertise their services on criminal forums and messaging platforms. Ptitsyn reportedly used the monikers “derxan” and “zimmermanx.”

Affiliates, after gaining access to victim computer networks, would copy and steal files and programs, and encrypt the original versions of the stolen data by installing and executing Phobos ransomware. They would then demand a ransom payment from victims in exchange for the decryption keys to regain access to the encrypted data. The affiliates also threatened to expose victims’ stolen files if the ransoms were not paid.

After a successful Phobos ransomware attack, criminal affiliates paid fees to Phobos administrators for a decryption key to regain access to the encrypted files. Each deployment of Phobos ransomware was assigned a unique alphanumeric string to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate. From December 2021 to April 2024, the decryption key fees were then transferred from the unique affiliate cryptocurrency wallet to a wallet controlled by Ptitsyn.

Phobos ransomware suspect charged with 13 crimes

Ptitsyn is charged in a 13-count indictment with wire fraud conspiracy, wire fraud, conspiracy to commit computer fraud and abuse, four counts of causing intentional damage to protected computers, and four counts of extortion in relation to hacking.

If convicted, he faces a maximum penalty of 20 years in prison for each wire fraud count; 10 years in prison for each computer hacking count; and five years in prison for conspiracy to commit computer fraud and abuse.