A Russian Citizen Allegedly Coordinated the Sale, Distribution, and Operation of the Phobos Ransomware as Part of an International Hacking and Extortion.
Conspiracy Today, the Department of Justice filed criminal charges against 42-year-old Russian citizen Evgeny Ptitsyn for allegedly directing the sale, distribution, and operation of the Phobos Ransomware. Ptitsyn made his first appearance in U.S. District Court for the District of Maryland on November 4 after extradition from South Korea. The Phobos Ransomware, through its affiliates, has fallen victim to more than 1000 public and private organizations in the United States and around the world and has extorted ransom payments of over $16 million.
"The Department of Justice intends to leverage the full range of our international partnerships to combat threats posed by ransomware such as Phobos," Deputy Attorney General Lisa Monaco said in a statement. Evgeny Ptitsyn allegedly extorted millions of dollars in ransom from thousands of victims and is now facing justice in the United States thanks to the hard work and ingenuity of law enforcement agencies around the world — from the Republic of Korea to Japan, to Europe, and finally to Baltimore, Maryland. Together with our partners around the world, we will continue to hold cybercriminals accountable and protect innocent victims."
"The indictment alleges that Ptitsyn and his co-conspirators led the Phobos ransomware group, whose members carried out ransomware attacks on more than 1,000 public and private victims across the United States and the rest of the world," said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department's Criminal Division. "Ptitsyn and his accomplices hacked not only large corporations, but also schools, hospitals, non-profit organizations and a federally recognized tribe, and they extorted more than $16 million in ransom. Ptitsyn's indictment, arrest and extradition reflect the Criminal Division's commitment to leading the fight against the international scourge of ransomware. We are especially grateful to our domestic and foreign law enforcement partners, such as South Korea, whose cooperation is essential to prevent the most serious cybercriminal threats facing the United States."
"It's only a matter of time before cybercriminals are caught and brought to justice," Maryland County Attorney Erek L. Barron said. "According to the indictment, Ptitsyn contributed to the worldwide use of a dangerous strain of ransomware to attack corporations and various organizations, including government agencies, medical institutions, educational institutions and critical infrastructure facilities. The U.S. Attorney's Office for the District of Maryland is committed to bringing cybercriminals to justice and working with the private sector and academia to prevent and disrupt their activities."
"The FBI is working tirelessly to ensure that ransomware participants, both developers and affiliates, face the consequences of their actions," said Assistant Director Brian Vorndran of the FBI's Cyber Division. "We know that breaking down cybercriminal networks requires strong partnershipsThe FBI must thank our partners for the important role they play in fulfilling this mission. The extradition announced today would not have been possible without their help."
According to the indictment, since at least November 2020, Ptitsyn and others have conspired to participate in an international computer hacking and extortion scheme that targeted public and private entities through the introduction of the Phobos ransomware.
As part of the scheme, Ptitsyn and his co-conspirators allegedly developed the Phobos Ransomware and provided access to it to other criminals or "affiliates" with the goal of encrypting victims' data and extorting ransom payments from victims. The administrators operated a darknet website to coordinate the sale and distribution of the Phobos ransomware to accomplices and used online aliases to advertise their services on criminal forums and messaging platforms. At the relevant time, Ptitsyn allegedly used the pseudonyms "derxan" and "zimmermanx".
Affiliates would then allegedly hack into victims' computer networks, often using stolen or otherwise unauthorized credentials; copied and stole files and programs from victims' networks; and encrypted the original versions of the stolen data on networks by installing and running the Phobos ransomware. The affiliates then extorted the victims for a ransom payment in exchange for decryption keys to regain access to the encrypted data by dropping ransom notes on the victims' compromised computers and calling victims via email to initiate ransom negotiations. Affiliates also threatened to release the victims' stolen files to the public or to the victims' customers, customers, or voters if the ransom was not paid.
Following the successful Phobos ransomware attack, criminal affiliates paid Phobos administrators like Ptitsyn decryption key fees to regain access to the encrypted files. Each deployment of the Phobos ransomware was assigned a unique alphanumeric string to match with the corresponding decryption key, and each partner was instructed to pay a decryption key fee to that partner's unique cryptocurrency wallet. From December 2021 to April 2024, the decryption key fee was transferred from a unique partner cryptocurrency wallet to a wallet controlled by Ptitsin.
Ptitsyn is charged with 13 counts of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud and abuse, four counts of intentional damage to protected computers and four counts of extortion in connection with hacking. If convicted, Ptitsyn faces a maximum sentence of 20 years in prison for each count of wire fraud; 10 years' imprisonment on each count of computer hacking; and five years' imprisonment for conspiracy to commit computer fraud and abuse. A federal district court judge will render any sentence after reviewing the U.S. Sentencing Guidelines and other legislationfactors.
The local FBI office in Baltimore is investigating the case. The Department of International Relations of the Ministry of Justice cooperated with the International Criminal Division of the Ministry of Justice of Korea to obtain the arrest and extradition of Ptitsyn. The Department of Justice expresses its gratitude to international judicial and law enforcement partners in South Korea, the United Kingdom, Japan, Spain, Belgium, Poland, the Czech Republic, France, and Romania, as well as Europol and the U.S. Department of Defense Cybercrime Center for their cooperation and coordination in the investigation of the Phobos ransomware. The Department of Justice's National Security Division has also provided valuable assistance.
Senior Legal Counsel for the Criminal Division's Computer Crime and Intellectual Property Division (CCIPS) and Assistant U.S. Attorneys Aaron S.J. Zielinski and Thomas M. Sullivan of the District of Maryland are prosecuting the case. CCIPS Trial Attorney Rian Harper and former Assistant U.S. Attorney Jeffrey J. Izant from Maryland County provided substantial assistance.
Source
Conspiracy Today, the Department of Justice filed criminal charges against 42-year-old Russian citizen Evgeny Ptitsyn for allegedly directing the sale, distribution, and operation of the Phobos Ransomware. Ptitsyn made his first appearance in U.S. District Court for the District of Maryland on November 4 after extradition from South Korea. The Phobos Ransomware, through its affiliates, has fallen victim to more than 1000 public and private organizations in the United States and around the world and has extorted ransom payments of over $16 million.
"The Department of Justice intends to leverage the full range of our international partnerships to combat threats posed by ransomware such as Phobos," Deputy Attorney General Lisa Monaco said in a statement. Evgeny Ptitsyn allegedly extorted millions of dollars in ransom from thousands of victims and is now facing justice in the United States thanks to the hard work and ingenuity of law enforcement agencies around the world — from the Republic of Korea to Japan, to Europe, and finally to Baltimore, Maryland. Together with our partners around the world, we will continue to hold cybercriminals accountable and protect innocent victims."
"The indictment alleges that Ptitsyn and his co-conspirators led the Phobos ransomware group, whose members carried out ransomware attacks on more than 1,000 public and private victims across the United States and the rest of the world," said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department's Criminal Division. "Ptitsyn and his accomplices hacked not only large corporations, but also schools, hospitals, non-profit organizations and a federally recognized tribe, and they extorted more than $16 million in ransom. Ptitsyn's indictment, arrest and extradition reflect the Criminal Division's commitment to leading the fight against the international scourge of ransomware. We are especially grateful to our domestic and foreign law enforcement partners, such as South Korea, whose cooperation is essential to prevent the most serious cybercriminal threats facing the United States."
"It's only a matter of time before cybercriminals are caught and brought to justice," Maryland County Attorney Erek L. Barron said. "According to the indictment, Ptitsyn contributed to the worldwide use of a dangerous strain of ransomware to attack corporations and various organizations, including government agencies, medical institutions, educational institutions and critical infrastructure facilities. The U.S. Attorney's Office for the District of Maryland is committed to bringing cybercriminals to justice and working with the private sector and academia to prevent and disrupt their activities."
"The FBI is working tirelessly to ensure that ransomware participants, both developers and affiliates, face the consequences of their actions," said Assistant Director Brian Vorndran of the FBI's Cyber Division. "We know that breaking down cybercriminal networks requires strong partnershipsThe FBI must thank our partners for the important role they play in fulfilling this mission. The extradition announced today would not have been possible without their help."
According to the indictment, since at least November 2020, Ptitsyn and others have conspired to participate in an international computer hacking and extortion scheme that targeted public and private entities through the introduction of the Phobos ransomware.
As part of the scheme, Ptitsyn and his co-conspirators allegedly developed the Phobos Ransomware and provided access to it to other criminals or "affiliates" with the goal of encrypting victims' data and extorting ransom payments from victims. The administrators operated a darknet website to coordinate the sale and distribution of the Phobos ransomware to accomplices and used online aliases to advertise their services on criminal forums and messaging platforms. At the relevant time, Ptitsyn allegedly used the pseudonyms "derxan" and "zimmermanx".
Affiliates would then allegedly hack into victims' computer networks, often using stolen or otherwise unauthorized credentials; copied and stole files and programs from victims' networks; and encrypted the original versions of the stolen data on networks by installing and running the Phobos ransomware. The affiliates then extorted the victims for a ransom payment in exchange for decryption keys to regain access to the encrypted data by dropping ransom notes on the victims' compromised computers and calling victims via email to initiate ransom negotiations. Affiliates also threatened to release the victims' stolen files to the public or to the victims' customers, customers, or voters if the ransom was not paid.
Following the successful Phobos ransomware attack, criminal affiliates paid Phobos administrators like Ptitsyn decryption key fees to regain access to the encrypted files. Each deployment of the Phobos ransomware was assigned a unique alphanumeric string to match with the corresponding decryption key, and each partner was instructed to pay a decryption key fee to that partner's unique cryptocurrency wallet. From December 2021 to April 2024, the decryption key fee was transferred from a unique partner cryptocurrency wallet to a wallet controlled by Ptitsin.
Ptitsyn is charged with 13 counts of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud and abuse, four counts of intentional damage to protected computers and four counts of extortion in connection with hacking. If convicted, Ptitsyn faces a maximum sentence of 20 years in prison for each count of wire fraud; 10 years' imprisonment on each count of computer hacking; and five years' imprisonment for conspiracy to commit computer fraud and abuse. A federal district court judge will render any sentence after reviewing the U.S. Sentencing Guidelines and other legislationfactors.
The local FBI office in Baltimore is investigating the case. The Department of International Relations of the Ministry of Justice cooperated with the International Criminal Division of the Ministry of Justice of Korea to obtain the arrest and extradition of Ptitsyn. The Department of Justice expresses its gratitude to international judicial and law enforcement partners in South Korea, the United Kingdom, Japan, Spain, Belgium, Poland, the Czech Republic, France, and Romania, as well as Europol and the U.S. Department of Defense Cybercrime Center for their cooperation and coordination in the investigation of the Phobos ransomware. The Department of Justice's National Security Division has also provided valuable assistance.
Senior Legal Counsel for the Criminal Division's Computer Crime and Intellectual Property Division (CCIPS) and Assistant U.S. Attorneys Aaron S.J. Zielinski and Thomas M. Sullivan of the District of Maryland are prosecuting the case. CCIPS Trial Attorney Rian Harper and former Assistant U.S. Attorney Jeffrey J. Izant from Maryland County provided substantial assistance.
Source
