Fraud Management & Cybercrime , Ransomware
Accused Phobos Ransomware Hacker in US Custody
Russian National Evgenii Ptitsyn Faces a 13 Criminal Count IndictmentA Russian national accused of working for a ransomware gang made his first appearance in federal court earlier this month after extradition from South Korea, the U.S. Department of Justice disclosed Monday.
See Also: Stopping Business Email Compromise and Ransomware Attacks with Human-centric Security
Evgenii Ptitsyn, 42, faces a 13 criminal count indictment with the potential to imprison him for the rest of his life. He is currently in federal custody.
Federal prosecutors say Ptitsyn joined the Phobos ransomware operation in 2020. First observed in 2019, Phobos nominally operates as a ransomware-as-a-service operation but lets anyone access its software through cybercrime forums for a payment that prosecutors say amounted to $300 for a decryptor key. Ptitsyn used "derxan" and "zimmermanx" as online handles.
Hackers wielding Phobos ransomware have gained a reputation for targeting small-to-medium-sized organizations across a variety of industries including medical clinics. Among the victims noted in the Ptitsyn indictment are a North Carolina children's hospital, three healthcare providers, a healthcare company and two public school districts.
Hackers using a Phobos variant called BackMyData earlier this year attacked a spate of medical facilities in Romania, demanding approximately $171,000 in bitcoin.
Research from 2021 pegged the average Phobos ransom payment received at around $54,000. Low amounts weren't a hurdle for Phobos operators to rack up extensive earnings; prosecutors say they collectively extorted more than $16 million in attacks against more than 1,000 organizations in the U.S. and across the globe.
"It's only a matter of time, cybercriminals will be caught and brought to justice," said Erek L. Barron, U.S. attorney for the District of Maryland, where Ptitsyn is being prosecuted.
A federal cybersecurity advisory published in February concluded that Phobos ransomware is likely connected to numerous variants including Elking, Eight, Devos, Backmydata and Faust ransomware. Phobos hackers gain access to systems through phishing campaigns and through vulnerable remote desktop protocol instances. They often deploy the SmokeLoader backdoor as a precursor to downloading the Phobos cryptolocker.
Nearly every U.S. prosecution of an accused Russian national cybercriminal begins with an arrest in a third country, since Moscow has a policy of not cooperating with extradition requests. Western authorities accuse Russia of harboring a cybercriminal underground, partially because hackers can serve as proxies. In October, a British police said Russian intelligence agencies tasked members of cybercrime syndicate Evil Corp with hacking members of the NATO strategic alliance as part of a years-long relationship (see: Evil Corp Protected by Ex-Senior FSB Official, Police Say).