“The Justice Department unsealed criminal charges today against Evgenii Ptitsyn, 42, a Russian national, for allegedly administering the sale, distribution, and operation of Phobos ransomware. Ptitsyn made his initial appearance in the U.S. District Court for the District of Maryland on Nov. 4 after being extradited from South Korea. Phobos ransomware, through its affiliates, victimized more than 1,000 public and private entities in the United States and around the world, and extorted ransom payments worth more than $16 million dollars.”
“As alleged in the indictment, beginning in at least November 2020, Ptitsyn and others conspired to engage in an international computer hacking and extortion scheme that victimized public and private entities through the deployment of Phobos ransomware.”
“As part of the scheme, Ptitsyn and his co-conspirators allegedly developed and offered access to Phobos ransomware to other criminals or ‘affiliates’ for the purposes of encrypting victims’ data and extorting ransom payments from victims. The administrators operated a darknet website to coordinate the sale and distribution of Phobos ransomware to co-conspirators and used online monikers to advertise their services on criminal forums and messaging platforms. At relevant times, Ptitsyn allegedly used the monikers ‘derxan’ and ‘zimmermanx.’”
“Affiliates would then allegedly hack into the victims’ computer networks, often using stolen or otherwise unauthorized credentials; copy and steal files and programs on the victims’ networks; and encrypt the original versions of the stolen data on the networks by installing and executing Phobos ransomware. Affiliates then extorted the victims for ransom payments in exchange for the decryption keys to regain access to encrypted data by leaving ransom notes on compromised victims’ computers and by calling and emailing victims to initiate the ransom payment negotiations. Affiliates also threatened to expose victims’ stolen files to the public or to the victims’ clients, customers, or constituents if the ransoms were not paid.”
“After a successful Phobos ransomware attack, criminal affiliates paid fees to Phobos administrators like Ptitsyn for a decryption key to regain access to the encrypted files. Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate. From December 2021 to April 2024, the decryption key fees were then transferred from the unique affiliate cryptocurrency wallet to a wallet controlled by Ptitsyn.” (Source: US Department of Justice)