Phobos Ransomware Operation Targeted Hundreds of Victims Worldwide

A Russian national has pleaded guilty to a wire fraud conspiracy charge stemming from his involvement in the administration of the Phobos ransomware operation, which impacted hundreds of victims globally. The operation, a ransomware-as-a-service (RaaS), has been linked to the Crysis ransomware family and accounted for approximately 11% of submissions to the ID Ransomware service between May and November 2024 .

Millions in Ransom Payments

The U.S. Department of Justice reports that the Phobos ransomware gang has collected over $39 million in ransom payments from more than 1,000 public and private entities worldwide .

Evgenii Ptitsyn’s Role

Evgenii Ptitsyn, 43, was extradited from South Korea in November 2024 and charged in the United States with overseeing the sale, distribution, and operation of the Phobos ransomware . Court documents indicate that Ptitsyn and his associates began the cybercrime operation as early as November 2020, selling access to the ransomware through a darknet website and criminal forums under the aliases “derxan” and “zimmermanx” .

Affiliate Model and Tactics

The Phobos operation utilized an affiliate model, where affiliates breached target networks – including schools, hospitals, and government agencies – often exploiting stolen credentials. These affiliates exfiltrated sensitive data and encrypted systems, demanding ransom payments. Victims who refused to pay faced threats of data leaks and distribution to customers . Affiliates paid Ptitsyn a fee for each deployment and a percentage of the ransom received.

Decryption Key Fees

From December 2021 to April 2024, affiliates paid approximately $300 in cryptocurrency for each decryption key needed to restore access to encrypted files . Each ransomware deployment was assigned a unique identifier linked to the corresponding decryption key, and affiliates were directed to pay fees to unique cryptocurrency wallets.

Sentencing and Operation Aether

Ptitsyn is scheduled for sentencing on July 15 and faces up to 20 years in prison following his guilty plea . Law enforcement efforts against Phobos have been coordinated under “Operation Aether,” a Europol-led international initiative. In February 2025, Polish police detained a man suspected of ties to the ransomware, seizing computers and mobile devices containing stolen data as part of this operation .

Operation Aether has resulted in multiple arrests, including two affiliates in February 2025 and another in Italy in 2023. Law enforcement agencies were able to warn over 400 companies worldwide of potential attacks as a result of the operation . The operation involved agencies from 14 countries.

Free Decryptor Available

A free decryptor capable of recovering files encrypted by Phobos ransomware and its variant, 8Base, was released by police in July 2025 .