A Russian national accused of operating the notorious Phobos ransomware enterprise has been extradited from South Korea to face criminal charges in the United States. Evgenii Ptitsyn allegedly played a central role in developing and distributing ransomware that targeted over 1,000 organizations globally and extorted more than $16 million in payments.
According to prosecutors, Ptitsyn managed the ransomware-as-a-service (RaaS) operation since November 2020, selling malware on dark web forums under aliases including "derxan" and "zimmermanx." The business model allowed criminal affiliates to purchase decryption keys and deploy the ransomware against victims, with profits flowing through cryptocurrency wallets.
The 13-count indictment charges Ptitsyn with wire fraud conspiracy, computer fraud, intentional damage to protected systems, and extortion related to hacking activities. If found guilty, he could face up to 20 years in prison for each wire fraud charge, 10 years per computer hacking offense, and 5 years for conspiracy.
Recent investigations revealed that Phobos variants like Backmydata, Devos, and Faust remain active threats, particularly targeting critical infrastructure including healthcare, education, and emergency services. The ransomware operation, active since 2019, employs various attack methods including phishing campaigns and exploitation of vulnerable Remote Desktop Protocol ports.
Attackers utilize popular hacking tools such as Smokeloader, Cobalt Strike, and Bloodhound to compromise networks. The accessibility and ease of use of these tools have contributed to Phobos becoming a preferred choice among cybercriminals.
U.S. authorities continue investigating the broader Phobos operation as similar attacks were reported as recently as February 2024, highlighting the ongoing threat to public and private organizations worldwide.