The Justice Department has unsealed charges against Roman Berezhnoy and Egor Nikolaevich Glebov, both Russian nationals, accused of running a cybercrime group using Phobos ransomware. This operation allegedly targeted over 1,000 entities globally, amassing over $16 million in ransom payments. Their arrests occurred as part of an international effort to dismantle their organization, involving additional arrests and technical disruptions.
From May 2019 through October 2024, the defendants are said to have caused significant losses by denying victims access to their data and demanding ransoms for its return. Among those affected were a children's hospital, healthcare providers, and educational institutions.
Court documents reveal that Berezhnoy and Glebov operated under names such as "8Base" and "Affiliate 2803," deploying Phobos ransomware to compromise networks. The scheme involved hacking into systems, stealing data, encrypting it with ransomware, and then extorting victims for decryption keys. The group also threatened to publicly expose stolen files if ransoms were not paid.
A darknet website was reportedly used to reinforce these threats and publish data from non-compliant victims. Affiliates paid fees for decryption keys following successful attacks.
These charges coincide with the recent arrest of Evgenii Ptitsyn on related accusations. In conjunction with today's actions, Europol and German authorities announced a multinational operation with the FBI to disrupt over 100 servers linked to this network.
Berezhnoy and Glebov face an 11-count indictment including wire fraud conspiracy, computer fraud conspiracy, intentional damage to protected computers, extortion related charges, threats regarding stolen data confidentiality impairment, unauthorized access to protected computers. Potential penalties include up to 20 years for each wire fraud-related count; 10 years for each computer damage count; five years for other charges. Sentencing will be determined by a federal judge considering guidelines and statutory factors.
The announcement came from Erek L. Barron (U.S. Attorney for Maryland), Antoinette T. Bacon (Justice Department’s Criminal Division), William J. DelBagno (FBI Baltimore Field Office). The investigation is led by the FBI Baltimore Field Office with thanks extended to international partners across several countries along with Europol and U.S Department of Defense Cyber Crime Center.
Prosecution involves Assistant U.S Attorney Thomas M Sullivan (District of Maryland) alongside Senior Counsel Aarash A Haghighat (Criminal Division’s Computer Crime & Intellectual Property Section). Former attorneys Riane Harper (CCIPS), Aaron S.J Zelinsky & Jeffrey J Izant provided substantial assistance.
Details on safeguarding against Phobos ransomware can be found at StopRansomware.gov which includes advisory AA24-060A from Cybersecurity & Infrastructure Security Agency.
An indictment remains an allegation until guilt is proven beyond reasonable doubt in court.
