The U.S. Justice Department announced the names of two Phobos ransomware affiliates arrested yesterday in Thailand, charging them on 11 counts due to their involvement in more than a thousand cyberattacks.
The two men, Roman Berezhnoy (33) and Egor Nikolaevich Glebov (39) are both Russian citizens, active in the ransomware space between May 2019 and at least October 2024.
The DoJ says Berezhnoy and Glebov were the operators of the “8Base” and “Affiliate 2803” platforms, both deploying the Phobos ransomware strain in attacks.
“As part of the scheme, Berezhnoy, Glebov, and others allegedly hacked into victim computer networks, copied and stole files and programs on the victims’ network, and encrypted the original versions of the stolen data with Phobos ransomware,” reads the U.S. DoJ announcement.
“The conspirators then allegedly extorted the victims for ransom payments in exchange for the decryption keys to regain access to the encrypted data by, among other things, leaving a ransom note on compromised victim computers and separately reaching out to victims to initiate ransom payment negotiations.”
“As alleged, the conspirators also threatened to expose victims’ stolen files to the public or to the victims’ clients, customers, or constituents if the ransoms were not paid.”
The two cybercriminals were arrested in separate locations in Phuket yesterday and now face a long list of charges that include:
- Wire fraud conspiracy (1 count)
- Wire fraud (1 count)
- Conspiracy to commit computer fraud and abuse (1 count)
- Intentional damage to protected computers (3 counts)
- Extortion related to damage to a protected computer (3 counts)
- Transmitting a threat to impair the confidentiality of stolen data (1 count)
- Unauthorized access and obtaining information from a protected computer (1 count)
If convicted, they could receive a penalty of up to 20 years for wire fraud-related charges, 10 years for computer damage charges, and 5 years for the other counts.
The arrest and charging of the two Russian cybercriminals follows a similar action against Evgenii Ptitsyn, also a Russian national believed to have held an administrative role in the Phobos operation.
Europol infiltrated Phobos
In a separate announcement from Europol today, it was revealed that law enforcement authorities took down 27 servers associated with the 8Base ransomware group, ending its operations.
Yesterday’s news of the arrests in Thailand was directly linked to the appearance of seizure banners on 8Base’s extortion portals, but official confirmation of the action came earlier today.
Europol has also disclosed a key arrest of a Phobos affiliate in Italy in 2023, allowing its investigators to infiltrate the operation and gain intelligence that helped protect hundreds of targets.
“As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks,” explains Europol.
Phobos has been active since December 2018, and while these law enforcement operations have somewhat disrupted it, the level of their impact is unclear at this time.