Russian ransomware administrator pleads guilty to operating Phobos ransomware

Evgenii Ptitsyn, a 43-year-old Russian national, has pleaded guilty to selling, distributing, and operating Phobos ransomware.

According to the US Department of Justice, Ptitsyn and others had been planning an international ransomware conspiracy since at least 2020.

As part of this scheme, Ptitsyn and his co-conspirators developed and offered access to Phobos ransomware to so-called ‘affiliates’ to encrypt victims’ data and extort ransom payments from them.

The administrators operated this Ransomware-as-a-Service (RaaS) scheme from a website on the dark web to coordinate the sale and distribution of Phobos ransomware. They used online monikers to advertise their services on criminal forums and messaging platforms.

Affiliates often used stolen login credentials to hack victims’ computers worldwide, obtained personal and confidential files that were stored on victims’ devices, and executed Phobos malware to encrypt the original files and extort victims for ransom.

In exchange for a ransom demand, the affiliates would send a decryption key so that the victims could regain access to their files. To increase the pressure, the attackers threatened to expose the victims’ stolen files to the public if they didn’t pay.

As in any ransomware scheme, the developers and administrators of the Phobos ransomware were given a piece of the pie of all illicit revenues.

The US Department of Justice alleges that Ptitsyn and his co-conspirators victimized more than 1,000 people in the United States and around the world, extorting payments worth over $39 million.

Ptitsyn was extradited from South Korea to the United States in November 2020. If the court finds him guilty of committing wire fraud, the Russian national faces a maximum penalty of 20 years in prison.

The sentencing is set for Wednesday, July 15, 2026.