The U.S. Department of Justice (DOJ) announced Monday that Evgenii Ptitsyn, a 42-year-old Russian national, has been extradited from South Korea to the U.S. to face charges linked to the Phobos ransomware.
Prosecutors allege Ptitsyn orchestrated the operation, sale, and distribution of the malware, which has extorted over $16 million in payments from more than 1,000 victims worldwide, including schools, healthcare facilities, and government agencies. Authorities noted:
Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate.
Between December 2021 and April 2024, these fees were reportedly funneled into a wallet under Ptitsyn’s control.
Phobos ransomware, active since 2019, operates under a ransomware-as-a-service (RaaS) model, enabling affiliates to execute attacks across various sectors, including healthcare and critical infrastructure. The ransomware typically gains initial access through phishing emails with malicious attachments or by exploiting unsecured Remote Desktop Protocol (RDP) ports via brute-force attacks. Once inside a network, Phobos encrypts files and demands ransom payments, often amounting to several million dollars. Notably, Phobos has been linked to variants such as Elking, Eight, Devos, Backmydata, and Faust, sharing similar TTPs.
According to the DOJ: “Ptitsyn is charged in a 13-count indictment with wire fraud conspiracy, wire fraud, conspiracy to commit computer fraud and abuse, four counts of causing intentional damage to protected computers, and four counts of extortion in relation to hacking.” The Justice Department added:
If convicted, Ptitsyn faces a maximum penalty of 20 years in prison for each wire fraud count; 10 years in prison for each computer hacking count; and five years in prison for conspiracy to commit computer fraud and abuse.
