U.S. federal government contractors, healthcare providers, public school systems and a law enforcement union were among the targets of Phobos ransomware over a five-year span, according to an indictment unsealed this week.

The document sheds light on a durable cybercrime operation that has drawn serious attention from security researchers and law enforcement agencies, even though it has kept a lower profile than other ransomware gangs known for flashy data-leak sites, brand-name targets and big paydays. 

The 19-page indictment of Russian national Evgenii Ptitsyn lists multiple successful extortions of U.S. entities, ranging in size from a $2,300 payment in bitcoin from a Maryland healthcare provider in October 2023, to $300,000 in bitcoin from a California public school system in June 2023.

Ptitsyn, currently in U.S. custody, is accused of being a Phobos administrator and faces more than a dozen charges related to wire fraud and damaging protected computers. Reports on Phobos activity date back to at least 2019; the indictment points to evidence collected from November 2020 onward. 

Prosecutors say the ransomware-as-a-service operation has collected upwards of $16 million from about 1,000 victims worldwide. Cybersecurity researchers have noted a large drop in Phobos activity this month, coinciding with Ptitsyn’s first appearance in a Maryland federal court on November 4.

Phobos administrators made money by conducting their own ransomware attacks, the indictment says, and by distributing the malicious code on the dark web to affiliates. When those users successfully encrypted a victim’s files, they paid about $300 to the administrators for a one-time decryption key that could be exchanged for a ransom payment. Ptitsyn personally controlled the cryptocurrency wallet for the fees from affiliates, prosecutors said.

The indictment — filed in May but sealed until Monday — lists more than two dozen Phobos infections. The victims, all unnamed by prosecutors, include:

• The California public school system, which paid the $300,000 ransom in the summer of 2023.
• A Maryland-based company that provided accounting and consulting services to federal agencies. It paid a $12,000 ransom in early 2021.
• A Pennsylvania healthcare organization that paid $20,000 in the spring of 2022.
• An Illinois-based contractor for the U.S. departments of Defense and Energy. The indictment does not specify whether it made a payment.
• Maryland healthcare organizations that paid ransoms of $25,000 and $37,000 in the summer of 2022.
• A New York-based law enforcement union and a federally recognized tribe in the summer of 2022. The indictment does not specify whether either made a payment.
• A Connecticut public school system in the summer of 2023. It did not pay the ransom, prosecutors said.
• A North Carolina children’s hospital in the fall of 2023. It paid $100,000.

It’s difficult to match those cases with publicly reported ransomware attacks, given the prevalence of such incidents involving healthcare institutions, school districts and similar organizations. In many cases the infections — and any associated payments — are handled quietly by the victims, their cybersecurity teams and law enforcement. The FBI advises ransomware victims against paying up.

Security researchers have highlighted Phobos’ habit of keeping its ransom demands relatively low, compared to the other cybercrime gangs that draw headlines with multimillion-dollar extortion attempts or huge data leaks. Likewise, many Phobos targets have been small or medium-sized businesses, not household names. And Phobos does not operate a leak site where it publicizes its attacks. Variants such as Elbie and Eking also do not have leak sites.

That strategy, notes Recorded Future ransomware expert Allan Liska, probably helped Phobos outlive notorious groups such as REvil, Conti, Hive, Black Cat and LockBit. The Record is an editorially independent unit of Recorded Future.

Researchers are also monitoring a Phobos spinoff, 8Base, that has been called a “heavy hitting player.” That group, which operates a leak site, positions itself as a penetration-testing operation that aims to spotlight organizations that haven’t properly protected their data. 8Base activity is also down since Ptitsyn’s arrests, researchers say.