Russian suspected Phobos ransomware admin extradited to US over $16M extortion

A Russian citizen has been extradited from South Korea to the United States to face charges related to his alleged role in the Phobos ransomware operation.

Evgenii Ptitsyn, 42, is accused of serving as an IT administrator for the gang.

According to American prosecutors [PDF], since November 2020 the Phobos crew let criminals use its Windows ransomware for free to infect others, then charged those crooks $300 per decryption key, which were then resold to victims for amounts determined by the intruders.

The amount of ransom these extortionists were demanding was relatively small - between $12,000 to $300,000 per victim - though the Feds claim that in total the code was used to extort around $16 million from organizations and that it was Ptitsyn who provided crucial technical support.

"Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate," the US Justice Dept said in a statement this week.

"From December 2021 to April 2024, the decryption key fees were then transferred from the unique affiliate cryptocurrency wallet to a wallet controlled by Ptitsyn," it is claimed.

Allegedly using the handles 'derxan' and 'zimmermanx,' Ptitsyn and his crew are accused of distributing the malware on dark web markets. While some ransomware operators charge many millions in their extortion attempts, it appears Phobos was used in smaller and less valuable attacks by script kiddies, such as 8base.

• Five months after takedown, LockBit is a shadow of its former self
• Six ransomware gangs behind over 50% of 2024 attacks
• New kids on the ransomware block in 2023: Akira and 8Base lead dozens of newbies
• US gov claims ransomware 'earned' $590m in the first half of 2021 alone – mostly in Bitcoin

"Ptitsyn and his co-conspirators hacked not only large corporations but also schools, hospitals, nonprofits, and a federally recognized tribe, and they extorted more than $16 million in ransom payments," said Principal Deputy Assistant Attorney General Nicole Argentieri, head of the Justice Department’s Criminal Division.

"We are especially grateful to our domestic and foreign law enforcement partners, like South Korea, whose collaboration is essential to disrupting and deterring the most significant cybercriminal threats facing the US."

The Russian is charged with 13 crimes, including wire fraud conspiracy, wire fraud, conspiracy to commit computer fraud, four counts of causing intentional damage to protected computers, and another four of extortion. If convicted and given the maximum penalty, he faces over a century behind bars.

Ptitsyn was arrested in South Korea and held by the authorities until his extradition was secured. The circumstances of his cuffing have not yet been released but it's likely he was picked up while travelling, as has happened to others.

"The Justice Department is committed to leveraging the full range of our international partnerships to combat the threats posed by ransomware like Phobos," said Deputy Attorney General Lisa Monaco.

"Evgenii Ptitsyn allegedly extorted millions of dollars of ransom payments from thousands of victims and now faces justice in the United States thanks to the hard work and ingenuity of law enforcement agencies around the world — from the Republic of Korea to Japan to Europe and finally to Baltimore, Maryland." ®