Accused Russian Ransomware Boss Faces Decades in Prison after $16 Million Extortion

A Russian national believed to be responsible for the Phobos ransomware operation is facing a long sentence after being extradited from South Korea to face charges in the US.

42-year-old Evgenii Ptitsyn made his initial appearance in the US District Court for the District of Maryland on Nov. 4 after his extradition from South Korea.

The US Justice Department places him (and other alleged masterminds) at the center of the Phobos ransomware operation, allegedly responsible for more than 1,000 hacks and extortion schemes on public and private entities in the US and around the world.

Ptitsyn, with the help of affiliates, is said to have extorted ransom payments worth more than $16 million.

Beginning in at least November 2020, the indictment alleges, Ptitsyn and fellow ransomware profiteers conspired to engage in an international computer hacking and extortion scheme that victimized public and private entities through the deployment of Phobos ransomware.

Phobos – a typical data-encrypting malware – is reportedly connected to numerous other ransomware variants (including Elking, Eight, Devos, Backmydata, and Faust) due to the similar tactics and deployment procedures observed by security researchers over the years.

Operators typically gain access to vulnerable networks by leveraging phishing campaigns to drop hidden payloads. Once in, the hackers brute force login credentials to gain a foothold and further their advance into the network, steal the victim’s sensitive data for extortion, and ultimately deploy the data-crippling Phobos malware.

Ransomware-as-a-service

“As part of the scheme, Ptitsyn and his co-conspirators allegedly developed and offered access to Phobos ransomware to other criminals or ‘affiliates’ for the purposes of encrypting victims’ data and extorting ransom payments from victims,” the DOJ notes, in what is called Ransomware-as-a-Service, or RaaS, in infosec jargon.

 “The administrators operated a darknet website to coordinate the sale and distribution of Phobos ransomware to co-conspirators and used online monikers to advertise their services on criminal forums and messaging platforms.”

Ptitsyn allegedly used screen names like “derxan” and “zimmermanx.”

Affiliates hack into victims’ networks, copy and steal data for later extortion, then encrypt the original versions of the stolen data on the victims’ end by deploying Phobos ransomware.

“Affiliates then extorted the victims for ransom payments in exchange for the decryption keys to regain access to encrypted data by leaving ransom notes on compromised victims’ computers and by calling and emailing victims to initiate the ransom payment negotiations,” according to the DOJ. “Affiliates also threatened to expose victims’ stolen files to the public or to the victims’ clients, customers, or constituents if the ransoms were not paid.”

After a successful Phobos ransomware attack, affiliates would pay fees to Phobos administrators to obtain a decryption key for leverage in extorting individual victims.

“[…] Each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate,” the DOJ notes.

Over a three-year period, the decryption key fees were transferred from the unique affiliate cryptocurrency wallet to a wallet controlled by Ptitsyn, says the US Justice Department.

Decades in federal prison

Ptitsyn faces 13 charges of wire fraud conspiracy, wire fraud, conspiracy to commit computer fraud and abuse, four counts of causing intentional damage to protected computers, and four counts of extortion in relation to hacking. If convicted, he’s looking at 20 years for each wire fraud count, 10 years for the computer hacking counts, and five additional years for conspiracy to commit computer fraud and abuse.

According to the DOJ, a federal district court judge will determine his final sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Keep ransomware at bay

Ransomware operations have been taking a massive blow globally in recent years. Earlier this month, Interpol announced the culmination of operation Synergia II, a major takedown across three continents as part of an operation targeting phishing, info stealers, and ransomware.

In October, the Russian justice system itself sentenced four individuals linked to the prolific REvil ransomware operation.

Major ransomware operations like Phobos and REvil have focused on large organizations like government agencies, healthcare facilities, educational institutions, and critical infrastructure. But regular netizens must also be vigilant against this threat, as ransomware operators also target regular folks, taking their home computers hostage in exchange for a ransom.

Bitdefender recommends that you keep your devices and software up to date with the latest security patches issued by your vendor, to limit the possibility of compromise via a software weakness. Be wary of unsolicited communications via SMS or email asking for your personal information or urgent action. When in doubt, use Scamio, our clever scam-fighting chatbot. For peace of mind, always have a dedicated security solution running on both your phone and computer.