A Russian national allegedly involved in administering the Phobos ransomware appeared in court in the US after being extradited from South Korea.
The man, Evgenii Ptitsyn, 42, was allegedly involved in the development of Phobos, and oversaw the sale, distribution, and operations of the ransomware, an indictment unsealed by the US Department of Justice shows.
Starting November 2020, the indictment claims, Ptitsyn conspired with others to create and offer Phobos under the ransomware-as-a-service (RaaS) model, where affiliates were using Phobos to encrypt victims’ data and demand ransom payments.
The sale and distribution of the ransomware were coordinated using a Tor-based website, while the RaaS was advertised on dark web cybercrime forums and messaging platforms.
Phobos affiliates, DoJ says, hit over 1,000 organizations in the US and abroad, extorting more than $16 million from their victims.
After gaining access to a victim’s network, often using stolen credentials, the attackers copied files of interest and then deployed Phobos to encrypt the data. Victims were asked to pay a ransom in exchange for the decryption keys and threatened with having the stolen data made public.
According to the DoJ, Phobos’ affiliates paid fees to the RaaS administrators such as Ptitsyn. The payments were directed to cryptocurrency wallets unique to each affiliate and then transferred to a wallet controlled by Ptitsyn.
Ptitsyn is charged with 13-counts of wire fraud and wire fraud conspiracy, computer fraud and abuse conspiracy, computer hacking, and extortion. He could be sentenced to 20 years in prison for each wire fraud count, 10 years for computer hacking, and five years for extortion.
In March this year, CISA, the FBI, and MS-ISAC issued a joint alert on Phobos, warning government, education, emergency services, healthcare, and other critical infrastructure sectors of its continuous attacks.
Related: Akira Ransomware Drops 30 Victims on Leak Site in One Day
Related: Ransomware Attack Knocks 100 Romanian Hospitals Offline
Related: Ransomware Persists Even as High-Profile Attacks Have Slowed