SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Russian Phobos Ransomware Operator Extradited to US

Evgenii Ptitsyn was extradited from South Korea to the US to face charges for his alleged involvement in administering the Phobos ransomware.

A Russian national allegedly involved in administering the Phobos ransomware appeared in court in the US after being extradited from South Korea.

The man, Evgenii Ptitsyn, 42, was allegedly involved in the development of Phobos, and oversaw the sale, distribution, and operations of the ransomware, an indictment unsealed by the US Department of Justice shows.

Starting November 2020, the indictment claims, Ptitsyn conspired with others to create and offer Phobos under the ransomware-as-a-service (RaaS) model, where affiliates were using Phobos to encrypt victims’ data and demand ransom payments.

The sale and distribution of the ransomware were coordinated using a Tor-based website, while the RaaS was advertised on dark web cybercrime forums and messaging platforms.

Phobos affiliates, DoJ says, hit over 1,000 organizations in the US and abroad, extorting more than $16 million from their victims.

After gaining access to a victim’s network, often using stolen credentials, the attackers copied files of interest and then deployed Phobos to encrypt the data. Victims were asked to pay a ransom in exchange for the decryption keys and threatened with having the stolen data made public.

Advertisement. Scroll to continue reading.

According to the DoJ, Phobos’ affiliates paid fees to the RaaS administrators such as Ptitsyn. The payments were directed to cryptocurrency wallets unique to each affiliate and then transferred to a wallet controlled by Ptitsyn.

Ptitsyn is charged with 13-counts of wire fraud and wire fraud conspiracy, computer fraud and abuse conspiracy, computer hacking, and extortion. He could be sentenced to 20 years in prison for each wire fraud count, 10 years for computer hacking, and five years for extortion.

In March this year, CISA, the FBI, and MS-ISAC issued a joint alert on Phobos, warning government, education, emergency services, healthcare, and other critical infrastructure sectors of its continuous attacks.

Related: Akira Ransomware Drops 30 Victims on Leak Site in One Day

Related: Ransomware Attack Knocks 100 Romanian Hospitals Offline

Related: Ransomware Persists Even as High-Profile Attacks Have Slowed

Related: Tough Fight Looms Against Ransomware ‘Epidemic’

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Chris Sistrunk has been promoted to Practice Leader for Mandiant's OT Security Consulting.

Nudge Security has appointed Patrick Dillon as its Chief Revenue Officer.

AutoNation has appointed Brian Fricke as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.