Alleged Russian Phobos ransomware administrator extradited to U.S., in custody
A Russian man who allegedly served as an administrator of the Phobos ransomware that’s extorted millions of dollars from more than a thousand victims is in U.S. custody, the Justice Department said Monday.
South Korea extradited Evgenii Ptitsyn, 42, to the United States for a court appearance Nov. 4, according to a news release about an unsealed 13-count indictment.
The Phobos ransomware has extorted over $16 million from more than 1,000 victims worldwide, including schools, hospitals, government agencies and large corporations, DOJ said. The department chalked up the arrest to international team-ups.
“The Justice Department is committed to leveraging the full range of our international partnerships to combat the threats posed by ransomware like Phobos,” said Deputy Attorney General Lisa Monaco. “Evgenii Ptitsyn allegedly extorted millions of dollars of ransom payments from thousands of victims and now faces justice in the United States thanks to the hard work and ingenuity of law enforcement agencies around the world — from the Republic of Korea to Japan to Europe and finally to Baltimore, Maryland.”
Ptitsyn faces charges of wire fraud, wire fraud conspiracy, conspiracy to commit computer fraud and abuse, as well as four counts of extortion in relation to hacking and four counts of causing intentional damage to protected computers.
Along with his co-conspirators, Ptitsyn — who was known by the online handles “derxan” and “zimmermanx” at times — developed Phobos and offered access to the ransomware to other criminals in exchange for fees from successful ransomware attacks.
Those attacks began as far back as four years ago, and drew a warning from the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation in February that Phobos was targeting state and local government services.
The ransomware is both “pretty standard” and noted for its small ransom demands, according to cybersecurity researchers.
Another researcher said the arrest makes sense in light of recent data about Phobos and 8Base ransomware operators that used a variant of Phobos.
“We recently identified a significant drop” in Phobos activity, Alexander Leslie, threat intelligence analyst for Recorded Future, said on X, “with 8Base stalling entirely last month.
“We have an explanation,” he wrote on the social media platform.
