INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Phobos Ransomware admin faces up to 20 years

| 2026-03-05 19:12 CRITICAL LOW
JSON
Executive Summary AI-generated
The Phobos ransomware operation, which targeted over 1,000 public and private entities in the United States and worldwide, extorting more than $16 million in ransom payments. Russian national Evgenii Ptitsyn pleaded guilty to wire fraud conspiracy for his role in the scheme, facing up to 20 years in prison after helping sell and operate the ransomware platform used by affiliates to attack victims.
Technical Mitigations AI-generated
* Use of secure communication channels: The use of encrypted messaging and secure communication channels, such as Signal or WhatsApp, can help protect against Phobos ransomware attacks by ensuring that sensitive information is not intercepted or accessed by unauthorized parties. * Implementing robust security measures: Organizations should implement robust security measures, such as firewalls, intrusion detection systems, and antivirus software, to detect and prevent Phobos ransomware attacks. Regularly updating software and patches can also help protect against known vulnerabilities. * Using secure payment processing: Payment processors and online marketplaces should use secure payment processing methods, such as tokenization or encryption of sensitive information, to minimize the risk of Phobos ransomware attacks on customers' financial data. * Implementing incident response plans: Organizations should have incident response plans in place to quickly respond to Phobos ransomware attacks. This includes having a clear understanding of how to contain and mitigate the attack, as well as having necessary resources and personnel available to do so. * Regularly updating software and systems: Regularly updating software and systems can help prevent exploitation of known vulnerabilities that could be used by Phobos ransomware attackers. It is also essential to have a clear understanding of how to patch vulnerabilities quickly in the event of an attack.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation AetherOperation Aether
Target & Sectors
NORTH_AMERICA NORTH_AMERICA governmentgovernment
Incident Timeline
November 2020
Evgenii Ptitsyn and others used a ransomware-as-a-service model to extort victims by selling decryption keys for Phobos Ransomware on darknet forums.
tactic Ransomware
Evgenii Ptitsyn and others allegedly ran an international hacking scheme since November 2020, deploying Phobos ransomware to extort victims.
organisation affiliates
Affiliates paid fees to administrators like Ptitsyn for decryption keys, with payments routed via unique cryptocurrency wallets from 2021–2024.
May 2024
Phobos ransomware was used to target users between May 2024 and November 2024.
tactic Ransomware
Phobos has been widely distributed through many affiliates, accounting for roughly 11% of all submissions to the ID Ransomware service between May 2024 and November 2024.
general_metric 11 %
Phobos has been widely distributed through many affiliates, accounting for roughly 11% of all submissions to the ID Ransomware service between May 2024 and November 2024.
November 2024
Evgenii Ptitsyn was charged in the United States with overseeing Phobos ransomware, which had been widely distributed through many affiliates.
tactic Ransomware
43-year-old Evgenii Ptitsyn was extradited from South Korea in November 2024 and was charged in the United States for overseeing the sale, distribution, and day-to-day operation of Phobos ransomware.
Phobos has been widely distributed through many affiliates, accounting for roughly 11% of all submissions to the ID Ransomware service between May 2024 and November 2024.
target_region Korea, Republic of
43-year-old Evgenii Ptitsyn was extradited from South Korea in November 2024 and was charged in the United States for overseeing the sale, distribution, and day-to-day operation of Phobos ransomware.
target_region United States
43-year-old Evgenii Ptitsyn was extradited from South Korea in November 2024 and was charged in the United States for overseeing the sale, distribution, and day-to-day operation of Phobos ransomware.
organisation Evgenii Ptitsyn
43-year-old Evgenii Ptitsyn was extradited from South Korea in November 2024 and was charged in the United States for overseeing the sale, distribution, and day-to-day operation of Phobos ransomware.
general_metric 11 %
Phobos has been widely distributed through many affiliates, accounting for roughly 11% of all submissions to the ID Ransomware service between May 2024 and November 2024.
February 2025
The 47-year-old man was arrested in Poland suspected of involvement in the Phobos ransomware operation and linked to Europol's Operation Aether, which targeted the group.
attribution Italy
Other key results of this operation include a massive disruption in February 2025, when police detained two suspected affiliates and seized 27 servers, and the arrest of another affiliate in Italy in 2023.
infrastructure 27 servers
Other key results of this operation include a massive disruption in February 2025, when police detained two suspected affiliates and seized 27 servers, and the arrest of another affiliate in Italy in 2023.
tactic Ransomware
"As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks," Europol noted in February 2025.
In February 2025, the U.S. Justice Department  unsealed charges  against Russian nationals Roman Berezhnoy and Egor Glebov for operating a Phobos ransomware group.
organisation Europol
"As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks," Europol noted in February 2025.
The arrest was part of Operation Aether, coordinated by Europol, which has targeted Phobos operators, affiliates, and infrastructure worldwide.
general_metric 400 companies
"As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks," Europol noted in February 2025.
target_region Russian Federation
In February 2025, the U.S. Justice Department  unsealed charges  against Russian nationals Roman Berezhnoy and Egor Glebov for operating a Phobos ransomware group.
organisation the U.S. Justice Department
In February 2025, the U.S. Justice Department  unsealed charges  against Russian nationals Roman Berezhnoy and Egor Glebov for operating a Phobos ransomware group.
organisation Operation Aether
The arrest was part of Operation Aether, coordinated by Europol, which has targeted Phobos operators, affiliates, and infrastructure worldwide.
organisation the Central Bureau for Combating Cybercrime
“Officers from the Central Bureau for Combating Cybercrime detained a 47-year-old man suspected of creating, acquiring, and sharing computer programs used to unlawfully obtain information stored in computer systems.”
organisation IP
“Officers secured files on the man’s computer containing digital data, such as logins, passwords, credit card numbers, and server IP addresses.
organisation the District Prosecutor’s Office
The case is overseen by the District Prosecutor’s Office in Gliwice.
organisation SecurityAffairs
Phobos Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Phobos Operation)
December 2021 to April 2024
Ransomware affiliates transferred decryption key fees from unique wallets to a single wallet controlled by Phobos admin.
tactic Ransomware
Each deployment of Phobos ransomware was assigned a unique alphanumeric string to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to the affiliate.” reads the press release published by DoJ. “From December 2021 to April 2024, the decryption key fees were then transferred from the unique affiliate cryptocurrency wallet to a wallet Ptitsyn controlled.
2026-03-05
Evgenii Ptitsyn pleaded guilty in the US to wire fraud conspiracy for his role in administering Phobos ransomware.
organisation Phobos
A Russian national pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation, which breached hundreds of victims worldwide.
organisation The U.S. Department of Justice
The U.S. Department of Justice says the ransomware gang has collected ransom payments worth more than $39 million million from over 1,000 public and private entities worldwide.
financial $39 Stolen / Extorted Funds
The U.S. Department of Justice says the ransomware gang has collected ransom payments worth more than $39 million million from over 1,000 public and private entities worldwide.
data_breach 2020 November
According to court documents , Ptitsyn and his accomplices began running the cybercrime operation no later than November 2020, selling access to the Phobos ransomware to criminal affiliates through a darknet website and advertising on criminal forums under the "derxan" and "zimmermanx" handles.
organisation affiliates
"After a successful Phobos ransomware attack, affiliates paid approximately $300 to the Phobos administrators for a decryption key to regain access to the encrypted files," the indictment reads.
Affiliates paid a per-deployment fee to Ptitsyn in exchange for a decryption key, and Ptitsyn collected a cut of ransom payments made by victims.
financial $300 affiliates
"After a successful Phobos ransomware attack, affiliates paid approximately $300 to the Phobos administrators for a decryption key to regain access to the encrypted files," the indictment reads.
organisation DoJ
According to the DoJ, the Phobos ransomware operation targeted over 1,000 public and private entities in the United States and worldwide, extorting more than $16 million in ransom payments.
financial $16 States
According to the DoJ, the Phobos ransomware operation targeted over 1,000 public and private entities in the United States and worldwide, extorting more than $16 million in ransom payments.
organisation Europol
The action is part of “Operation Aether,” a broader international effort coordinated by Europol and targeting Phobos ransomware infrastructure and affiliates.
organisation IP
During a search of the suspect’s residence, investigators supervised by the District Prosecutor’s Office in Gliwice found files on his devices containing credentials, passwords, credit card numbers, and server IP addresses that could be used to gain unauthorized access to computer systems and facilitate ransomware attacks.
organisation the District Prosecutor’s Office
During a search of the suspect’s residence, investigators supervised by the District Prosecutor’s Office in Gliwice found files on his devices containing credentials, passwords, credit card numbers, and server IP addresses that could be used to gain unauthorized access to computer systems and facilitate ransomware attacks.
organisation Central Bureau of Cybercrime Control
Officers from Poland’s Central Bureau of Cybercrime Control (CBZC) arrested the suspect in the Małopolska region in a joint operation involving units from Katowice and Kielce.
organisation CBZC
Officers from Poland’s Central Bureau of Cybercrime Control (CBZC) arrested the suspect in the Małopolska region in a joint operation involving units from Katowice and Kielce.
organisation The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
July 15
Phobos ransomware affiliates are facing up to 20 years in prison after being sentenced for their roles in a wire fraud conspiracy.
tactic Ransomware
"Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate." Ptitsyn has been scheduled for sentencing on July 15 and is now facing up to 20 years following his guilty plea to wire fraud conspiracy.
2046-02-28
Evgenii Ptitsyn pleaded guilty in the U.S. for his role in Phobos ransomware operation and faces up to 20 years in prison.
target_region Russian Federation
Phobos Ransomware admin faces up to 20 years after guilty plea Russian national Evgenii Ptitsyn (43) pleaded guilty in the U.S. for his role in the Phobos ransomware operation.
organisation Ransomware
Phobos Ransomware admin faces up to 20 years after guilty plea Russian national Evgenii Ptitsyn (43) pleaded guilty in the U.S. for his role in the Phobos ransomware operation.
Phobos Ransomware admin faces up to 20 years after guilty plea.
organisation Evgenii Ptitsyn
Phobos Ransomware admin faces up to 20 years after guilty plea Russian national Evgenii Ptitsyn (43) pleaded guilty in the U.S. for his role in the Phobos ransomware operation.
general_metric 43 guilty plea Russian national Evgenii Ptitsyn
Phobos Ransomware admin faces up to 20 years after guilty plea Russian national Evgenii Ptitsyn (43) pleaded guilty in the U.S. for his role in the Phobos ransomware operation.
Tactical Metrics
Metrics
infrastructure
27
Servers
Other key results of this operation include a massive disruption in February 2025, when police detained two suspected affiliates and seized 27 servers, and the arrest of another affiliate in Italy in 2023.
Metrics
financial
39,000,000
Stolen / Extorted Funds
The U.S. Department of Justice says the ransomware gang has collected ransom payments worth more than $39 million million from over 1,000 public and private entities worldwide.
Metrics
data_breach
2,020
November
According to court documents , Ptitsyn and his accomplices began running the cybercrime operation no later than November 2020, selling access to the Phobos ransomware to criminal affiliates through a darknet website and advertising on criminal forums under the "derxan" and "zimmermanx" handles.
Metrics
financial
300
Affiliates
"After a successful Phobos ransomware attack, affiliates paid approximately $300 to the Phobos administrators for a decryption key to regain access to the encrypted files," the indictment reads.
Metrics
financial
16,000,000
States
According to the DoJ, the Phobos ransomware operation targeted over 1,000 public and private entities in the United States and worldwide, extorting more than $16 million in ransom payments.
Intelligence Sources
Data Breaches 2026-02-17
BleepingComputer 2026-03-05
Security Affairs 2026-03-05