Phobos Ransomware Administrator Extradited to U.S.

A Russian national who allegedly served as an administrator for the Phobos ransomware was extradited from South Korea to the U.S., the Justice Department revealed this week. 

The man, Evgenii Ptitsyn, is 42 years old and initially appeared in the U.S. District Court for the district of Maryland on Nov. 4 after the extradition. 

Why It Matters: We’ve seen many indictments by the U.S. government of individuals behind ransomware and cybercriminal groups, but the actual arrest and extradition of an individual is a big win. Ptitsyn was allegedly behind the sale, distribution and operation of Phobos ransomware, which has been around since 2019 and was used to target more than 1,000 public and private sector organizations worldwide, in attacks that extorted ransom payments worth more than $16 million. The U.S. government has previously issued a security alert about Phobos, warning that it poses a threat to government, healthcare, education and critical infrastructure entities in the U.S. The extradition of Ptitsyn also gives a behind-the-scenes look at how the ransomware-as-a-service operated, and the role Ptitsyn played in Phobos operations.  

Key Details:

• Starting in November 2020, Ptitsyn, along with other administrators, developed and offered access to the Phobos ransomware to affiliates, who would then leverage it in attacks against organizations 

• After successful attacks, affiliates paid fees to a cryptocurrency wallet controlled by Ptitsyn for a decryption key in order to regain access to encrypted files

• Ptitsyn allegedly used the monikers “derxan” and “zimmermanx” and helped operate a darknet website for coordinating ransomware distribution

Next Steps: Ptitsyn is charged with a 13-count indictment for wire fraud conspiracy, wire fraud, conspiracy to commit computer fraud and abuse, four counts of causing intentional damage to protected computers, and four counts of extortion in relation to hacking. These charges could come with a substantial amount of prison time - for each wire fraud count, Ptitsyn could get a maximum of 20 years; as well as 10 years for each computer hacking count and five for conspiracy to commit computer fraud and abuse.