Fraud Management & Cybercrime , Ransomware

Accused Phobos Ransomware Hacker in US Custody

Russian National Evgenii Ptitsyn Faces a 13 Criminal Count Indictment
Accused Phobos Ransomware Hacker in US Custody
A NASA image of Phobos, the largest of two moons orbiting Mars. (Image: NASA)

A Russian national accused of working for a ransomware gang made his first appearance in federal court earlier this month after extradition from South Korea, the U.S. Department of Justice disclosed Monday.

See Also: Stopping Business Email Compromise and Ransomware Attacks with Human-centric Security

Evgenii Ptitsyn, 42, faces a 13 criminal count indictment with the potential to imprison him for the rest of his life. He is currently in federal custody.

Federal prosecutors say Ptitsyn joined the Phobos ransomware operation in 2020. First observed in 2019, Phobos nominally operates as a ransomware-as-a-service operation but lets anyone access its software through cybercrime forums for a payment that prosecutors say amounted to $300 for a decryptor key. Ptitsyn used "derxan" and "zimmermanx" as online handles.

Hackers wielding Phobos ransomware have gained a reputation for targeting small-to-medium-sized organizations across a variety of industries including medical clinics. Among the victims noted in the Ptitsyn indictment are a North Carolina children's hospital, three healthcare providers, a healthcare company and two public school districts.

Hackers using a Phobos variant called BackMyData earlier this year attacked a spate of medical facilities in Romania, demanding approximately $171,000 in bitcoin.

Research from 2021 pegged the average Phobos ransom payment received at around $54,000. Low amounts weren't a hurdle for Phobos operators to rack up extensive earnings; prosecutors say they collectively extorted more than $16 million in attacks against more than 1,000 organizations in the U.S. and across the globe.

"It's only a matter of time, cybercriminals will be caught and brought to justice," said Erek L. Barron, U.S. attorney for the District of Maryland, where Ptitsyn is being prosecuted.

A federal cybersecurity advisory published in February concluded that Phobos ransomware is likely connected to numerous variants including Elking, Eight, Devos, Backmydata and Faust ransomware. Phobos hackers gain access to systems through phishing campaigns and through vulnerable remote desktop protocol instances. They often deploy the SmokeLoader backdoor as a precursor to downloading the Phobos cryptolocker.

Nearly every U.S. prosecution of an accused Russian national cybercriminal begins with an arrest in a third country, since Moscow has a policy of not cooperating with extradition requests. Western authorities accuse Russia of harboring a cybercriminal underground, partially because hackers can serve as proxies. In October, a British police said Russian intelligence agencies tasked members of cybercrime syndicate Evil Corp with hacking members of the NATO strategic alliance as part of a years-long relationship (see: Evil Corp Protected by Ex-Senior FSB Official, Police Say).


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.