Ransomware operations are not only a technological problem. They have evolved into systematized extortion campaigns that weaponize stolen data. Although two recent cases in the United States District Court for the District of Maryland involved standard tactics from the ransomware playbook they also highlight the use of extortion strategies indicative of increased sophistication. Multi-extortion techniques such as denial-of-service coupled with a threat to publish stolen data are increasingly deployed by threat actors and continue to evolve.

1. Introduction

On November 18, 2024, the United States Department of Justice unsealed a 13 count indictment charging Evgenii Ptitsyn, a Russian national, with conspiracy to commit wire fraud for allegedly administrating the sale, distribution and operation of Phobos ransomware. (here) In a concurrent press release, the U.S. Attorney’s Office asserted that Phobos ransomware, through its affiliates, victimized more than 1,000 public and private entities worldwide and extorted ransom payments worth more than US$39 million. (here) Mr. Ptitsyn made his first appearance in the U.S. District Court for the District of Maryland in Baltimore on November 4, 2024, after being extradited from South Korea. On March 4, 2026, he pleaded guilty and faces a maximum term of imprisonment of 20 years on the wire fraud count. The sentence hearing is scheduled for July 15, 2026. (here)

2. The Ptitsyn Indictment

According to the glossary of terms contained in the indictment, Phobos ransomware is a form of malware that infected a computer by targeting vulnerabilities in “remote desktop protocol” and encrypted some or all of the data on the computer using file extensions such as “.devil”, “.help”, “.phobos”, “.eight” and “.Elbie”. When the data on the computer was encrypted, distributors of the malware could then extort victims by demanding a ransom in exchange for the decryption key needed to regain access to the encrypted data on the computer. Described as a “long-running ransomware-as-a-service operation linked to the Crysis ransomware family” and as “similar to the Dharma variant” it was first detected in 2018 and typically targeted smaller enterprises. (here and here)

The objects of the conspiracy were described in the stipulation of facts attached to the indictment as: (a) distribute the Phobos ransomware to other co-conspirators; (b) gain unauthorized access to victims’ computers; (c) copy and steal data from victims’ computers; (d) install and execute the Phobos ransomware on victims’ computers, resulting in the encryption of data on the computers; (e) extort victims by demanding a ransom paid in Bitcoin in exchange for decryption keys for the encrypted data; (f) threaten to release stolen data if the ransom was not paid; (g) collect ransom payments from victims; (h) charge other co-conspirators $300 per decryption key to regain access to encrypted files of victims; and, (i) distribute Phobos ransomware decryption key payments and ransom proceeds to Mr. Ptitsyn and other co-conspirators. (here)

Mr. Ptitsyn assumed a leadership role in the conspiracy by acting as an administrator of the Phobos ransomware variant. He controlled multiple cryptocurrency wallets that received thousands of $300 decryption key fees from affiliates who used the ransomware. He also received 25 per cent of the decryption key payment and, at times, received a portion of the ransom payments made by victims. He also gained control of the primary Jabber accounts that administrators of the Phobos ransomware variant used to advertise their ransomware and communicate with potential co-conspirators. The administrators also operated a darknet website to coordinate the sale and distribution of the ransomware to co-conspirators. (here)

3. The Berezhnov and Glebov Indictment

On February 11, 2025, Europol announced that a coordinated international law enforcement action dubbed Operation Aether had culminated in the arrest of four individuals leading the 8Base ransomware group, including Mr. Ptitsyn. Supported by Europol and Eurojust, the operation involved law enforcement agencies from 14 countries including Britain’s National Crime Agency, France’s Brigade de lutte contre la cybercriminalité de Paris, and Germany’s Bayerisches Landeskriminalamt. (here and here) In a contemporaneous press release, the U.S. Attorney’s Office, District of Maryland, unsealed a superseding indictment charging Russian nationals, Roman Berezhnoy and Egor Nikolaevich Glebov, with conspiracy to operate a cybercrime group and commit wire fraud. (here) The defendants were arrested as part of the multinational law enforcement disruption operation. (here)

The superseding indictment alleges that Mr. Berezhnoy, Mr. Glebov and others conspired to operate as a cybercrime group using the Phobos ransomware, including through Phobos affiliate identifier “2803” and the name “8Base”. They purportedly engaged in a computer hacking and extortion scheme that victimized more than 1,000 public and private entities in the United States and elsewhere, including in the District of Maryland, and obtained ransom payments worth more than US$16 million. The alleged victims include a law firm, an accounting and consulting services company, two healthcare providers and a law enforcement union.

As part of the scheme, the co-conspirators hacked into the victims’ computer networks, often using stolen credentials; stole files and programs on the victims’ networks; and, encrypted the original versions of the stolen data with the object of preventing the victims from accessing the data. The co-conspirators then extorted the victims for ransom payments in exchange for the decryption keys by leaving a ransom note on compromised victim computers and calling and emailing victims to initiate ransom negotiations. If the ransoms were not paid, the co-conspirators threatened to expose a victim’s stolen files publicly or specifically to the victim’s clients or customers. (here)

4. The Multi-Extortion Tactic

The indictments contain some common allegations. Both, for example, allege denial-of-service attacks and a threat to publish the stolen data in identical terms. Clause 3 of each indictment alleges that the co-conspirators: (a) encrypted the original versions of the stolen data to prevent the victims from accessing the compromised networks; and, (b) threatened to expose the stolen data to the public or to the victims’ clients or customers if the ransoms were not paid. The 15 victims in the Ptitsyn indictment, identified by pseudonyms, include a Connecticut-based public school system, an Ohio-based automotive company and a North Carolina-based children’s hospital. The 14 victims in the Berezhnoy and Glebov superseding indictment, also identified by pseudonyms, include a Maryland-based law firm, a Maryland-based managed services company and a Maryland-based healthcare provider. They all allegedly received a threat to publish.

The Berezhnoy and Glebov indictment may be of particular interest to lawyers as one of the alleged victims is a law firm and publication of clients’ data could compromise lawyer-client privilege and other obligations of confidentiality. On February 19, 2026, the Law Society of Alberta, the governing body of the legal profession in Alberta, advised in a news release that it had received reports of law firms being hacked and threat actors gaining access to client files. Describing lawyers as “high value targets” the advisory reminded the profession to be wary of social engineering techniques and unsolicited electronic communications previously discussed in the Society’s article titled Cybersecurity Threats: Recent Instances of Trust Account Theft published on March 27, 2025. (here)

5. Conclusion

Ransomware is one of the most destructive forms of cybercrime and accounts for 44% of all confirmed breaches. The average ransomware breach has been reported to cost companies US$5.08 million which includes indirect costs associated with detection and containment, notification, post-breach response and lost business. (here) According to the Ransomware Threat Outlook 2025-2027 published by the Canadian Centre for Cyber Security, “[t]he majority of the top ransomware groups impacting Canada are almost certainly financially motivated and opportunistic.” (here) The Canadian Cyber Centre has assessed that the “transition from single extortion to multi-extortion methods” is indicative of increased sophistication. Potential multi-extortion strategies include distributed denial-of-service attacks and contacting third parties associated with an organization – including its suppliers, partners or customers – for ransom. The consequences of multi-extortion attacks may not only damage an organization’s financial security but may also compromise its reputation when the extent of non-financial damage is unclear.