US charges two Russian men in connection with Phobos ransomware operation

The US Department of Justice (DOJ) has unsealed criminal charges against two Russian nationals, alleged to have operated a cybercrime gang that used ransomware to target over 1000 American organisations.

Roman Berezhnoy and Egor Nikolaevich Glebov, 33 and 39 years old respectively, are alleged to have extorted over US $16 million in ransom payments using the Phobos ransomware.

Between May 2019 and at least October 2024, Roman Berezhnoy, Egor Nikolaevich Glebov, and others are alleged to have hit a wide range of victims including a children’s hospital, health care providers, and educational institutions with their cyber attacks and ransom demands.

Berezhnoy, Glebov, and others are alleged to have run the Phobos ransomware affiliate operation variously called names such as "8Base" and "Affiliate 2803" - which left victims with their file encrypted, and a cryptocurrency ransom be paid to regain access to their content.

As is typical with many ransomware attacks, the criminal scheme threatened that the victim's stolen data would be published if a ransom was not paid.

In the DOJ's indictment against Berezhnoy and Glebov, it details how victims of the Phobos ransomware often received a ransom demand of under US $100,000 - less than the demands made by other notorious ransomware groups.

Berezhnoy and Glebov were arrested on Monday as part of a coordinated operation which saw multinational law enforcement agencies disrupt the operations of a cybercrime organisation, that also saw the arrest of other suspects and the takedown of more than 100 servers used in the Phobos scheme.

In February 2024, the FBI warned of the threat posed by Phobos, and shared details of the steps organisations could take to reduce the chances of falling foul of ransomware.

If convicted of the charges filed against them, Berezhnoy and Glebov face a potential sentence of decades in prison.

Another Russian national, Evgenii Ptitsyn, was recently extradited to the United States from South Korea to face charges that he administered the sale, distribution, and operation of the Phobos ransomware.

Ptitsyn's indictment underlined that it is not just the largest and wealthiest companies who are targeted by ransomware operators - with one affiliate allegedly having successfully extorted a ransom of just US $2,300 out of a Maryland healthcare provider.