Cyber: Phobos Ransomware Admin Pleads Guilty To Wire Fraud Conspiracy

A Russian national pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation, which breached hundreds of victims worldwide.

Phobos is a long-running ransomware-as-a-service (RaaS) operation linked to the Crysis ransomware family. Phobos has been widely distributed through many affiliates, accounting for roughly 11% of all submissions to the ID Ransomware service between May 2024 and November 2024.

The U.S. Department of Justice says the ransomware gang has collected ransom payments worth more than $39 million million from over 1,000 public and private entities worldwide.

43-year-old Evgenii Ptitsyn was extradited from South Korea in November 2024 and was charged in the United Statesfor overseeing the sale, distribution, and day-to-day operation of Phobos ransomware.

According to court documents, Ptitsyn and his accomplices began running the cybercrime operation no later than November 2020, selling access to the Phobos ransomware to criminal affiliates through a darknet website and advertising on criminal forums under the "derxan" and "zimmermanx" handles.

The affiliates broke into targets' networks (including schools, hospitals, and government agencies), often using stolen credentials, exfiltrated files, and encrypted sensitive data before demanding payment. They also threatened victims who refused to pay the ransoms via email and phone calls with leaking their stolen data online and sending it to customers.

Affiliates paid a per-deployment fee to Ptitsyn in exchange for a decryption key, and Ptitsyn collected a cut of ransom payments made by victims. From December 2021 to April 2024, all decryption key fees were transferred from an affiliate cryptocurrency wallet to a single Phobos admin cryptocurrency wallet under Ptitsyn's control.

"After a successful Phobos ransomware attack, affiliates paid approximately $300 to the Phobos administrators for a decryption key to regain access to the encrypted files," the indictment reads. "Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate."

Ptitsyn has been scheduled for sentencing on July 15 and is now facing up to 20 years following his guilty plea to wire fraud conspiracy.

Earlier this year, Polish police detained a 47-year-old man suspected of ties t

Source: BleepingComputer