Phobos Ransomware Affiliates Arrested in Coordinated International Disruption

“WASHINGTON — The Justice Department today unsealed criminal charges against Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, both Russian nationals, who allegedly operated a cybercrime group using the Phobos ransomware that victimized more than 1,000 public and private entities in the United States and around the world and received over $16 million in ransom payments. Berezhnoy and Glebov were arrested yesterday as part of a coordinated international disruption of their organization, which includes additional arrests and the technical disruption of the group’s computer infrastructure.”

“From May 2019, through at least October 2024, Berezhnoy, Glebov, and others allegedly caused victims to suffer losses resulting from the loss of access to their data in addition to the financial losses associated with the ransomware payments. The victims included a children’s hospital, health care providers, and educational institutions.”

“According to court documents, Berezhnoy, Glebov, and others operated a ransomware affiliate organization, including under the names ‘8Base’ and ‘Affiliate 2803,’ among others, that victimized public and private entities through the deployment of Phobos ransomware.”

“As part of the scheme, Berezhnoy, Glebov, and others allegedly hacked into victim computer networks, copied and stole files and programs on the victims’ network, and encrypted the original versions of the stolen data with Phobos ransomware. The conspirators then allegedly extorted the victims for ransom payments in exchange for the decryption keys to regain access to the encrypted data by, among other things, leaving a ransom note on compromised victim computers and separately reaching out to victims to initiate ransom payment negotiations.”

“As alleged, the conspirators also threatened to expose victims’ stolen files to the public or to the victims’ clients, customers, or constituents if the ransoms were not paid. The conspirators are further alleged to have established and operated a darknet website where they repeated their extortionate threats and ultimately published the stolen data if a victim failed to pay the ransom.”

“After a successful Phobos ransomware attack, criminal affiliates paid fees to Phobos administrators for a decryption key to regain access to the encrypted files. Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate.”

“The charges unsealed today against Berezhnoy and Glebov follow the recent arrest and extradition of Evgenii Ptitsyn, a Russian national, on charges relating to his alleged administration of the Phobos ransomware variant.”

“In parallel with today’s arrests, Europol and German authorities have announced an international operation involving the FBI and other international law enforcement partners to disrupt over 100 servers associated with this criminal network.” (Source: US Department of Justice)