The US Department of Justice has charged Evgeny Ptitsyn for allegedly managing the sale, distribution, and operation of the Monitoring Program of Mount PHOBOS. The 42-year-old Ptitsyn was extradited from South Korea and appeared before the Court Court of Maryland on November 4. Law enforcement agencies from countries such as South Korea, Great Britain, Japan, Spain, France, Romania, with the support of Europol and other international organizations participated in the operation.
The Phobos ransomware attacked over 1000 state and private organizations in the USA and other countries, causing damages exceeding $16 million. Victims included hospitals, schools, non-profit organizations, and even a federally recognized tribe.
Ptitsyn and his accomplices developed and facilitated access to Phobos for other cybercriminals (affiliates). Using pseudonyms “Derxan” and “Zimmermanx,” they advertised their services via darknet sites and messenger platforms. Affiliates infiltrated victims’ networks, encrypted data with Phobos, and demanded ransom for decryption. If victims refused to pay, the stolen information was threatened to be made public.
After negotiating with victims, cybercriminals received payment for decryption keys, transferring the money to specific wallets. From December 2021 to April 2024, funds from these wallets were then moved to Ptitsyn’s wallet.
The charges against Ptitsyn involve 13 counts, including fraud, cyber attacks, and extortion. If found guilty, the maximum penalty for each fraud count is up to 20 years in prison, up to 10 years for cyber attacks, and up to 5 years for conspiracy to commit computer fraud.
In March of this year, CISA issued an advisory warning about the common cyber attack methods and indicators of the PHOBOS group. Since 2019, Phobos, operating as Ransomware-AS-A-Service, targeted municipal and county authorities, emergency services, educational institutions, medical facilities, and other critical infrastructure. The RAAS model enables individuals with minimal knowledge to carry out attacks using pre-made tools.