US prosecutors charged Evgenii Ptitsyn, the Russian national suspected of administering the Phobos ransomware-as-a-service operation, after his extradition from South Korea — a platform linked to breaches of over 1,000 entities and $16 million in ransom payments. HN46 also covers Helldown ransomware, a fast-growing LockBit 3-based operation exploiting a command injection vulnerability in Zyxel IPSec VPN (CVE-2024-42057) — and potentially an additional undisclosed zero-day — to breach corporate networks and encrypt VMware workloads.
Stories Covered
Phobos Ransomware Admin Charged After Extradition: $16M From 1,000+ Victims
Evgenii Ptitsyn, a Russian national suspected of administering the Phobos ransomware-as-a-service (RaaS) operation, was extradited from South Korea and indicted on 13 counts including wire fraud, computer fraud conspiracy, and extortion. The Justice Department links Phobos to breaches of over 1,000 public and private entities in the US and worldwide — including schools, hospitals, nonprofits, and a federally recognized tribe — with ransom payments totaling more than $16 million. Between May and November 2024, Phobos accounted for roughly 11% of all ransomware submissions to the ID Ransomware service, making it a significant player in a large market. If convicted, Ptitsyn faces up to 20 years per wire fraud count, plus additional penalties for hacking and conspiracy charges.
Phobos operated as a classic RaaS structure: Ptitsyn and co-conspirators provided affiliates with ransomware payloads, decryption infrastructure, and extortion management platforms in exchange for a cut of ransom payments. Each deployment used a unique alphanumeric victim string tied to a specific decryption key, with payments directed to cryptocurrency wallets unique to each affiliate — funds were then transferred to wallets controlled by Ptitsyn. Affiliates gained initial access via stolen credentials, using them to VPN into victim networks before deploying ransomware laterally. What’s operationally notable is that Phobos affiliates actively called and emailed victims directly — a more aggressive extortion approach than the standard ransom note, and likely a factor in the group’s higher-than-average payment rate.
The RaaS model separates technical capability from operational reach. Affiliates don’t need to understand how the ransomware works — they just need an initial access method and a target. The ransomware provider handles payload development, key management, and decryption delivery. This division of labor is what makes RaaS operations resilient: taking down one administrator doesn’t eliminate the affiliates or the codebase. Phobos itself is derived from the Crysis ransomware family, meaning the underlying code has been in circulation and iterating for years. One practical concern worth noting: cases exist where ransomware decryptors are poorly implemented — victims pay and still can’t recover files. Any ransom payment decision should account for the non-trivial probability that the decryptor fails.
Helldown Ransomware Exploits Zyxel VPN Flaw, May Hold Undisclosed Zero-Day
French cybersecurity firm Sequoia identified a new ransomware operation called Helldown actively exploiting vulnerabilities in Zyxel firewalls used as IPSec VPN access points to breach corporate networks. Sequoia assessed with medium confidence that Helldown is leveraging CVE-2024-42057 — a command injection vulnerability in Zyxel’s IPSec VPN that allows an unauthenticated attacker to execute OS commands via a crafted long username in PSK mode — based on finding that at least eight victim organizations on Helldown’s leak portal were using Zyxel firewalls running firmware version 5.38 at the time of breach. Zyxel patched CVE-2024-42057 in firmware 5.39 released September 3rd. Sequoia also identified evidence of a separate undisclosed Zyxel vulnerability, the details of which were shared privately with Zyxel’s PSIRT.
Helldown was first spotted in August 2024 and grew quickly, listing 31 victims on its extortion portal by November — primarily small and medium-sized businesses in the US and Europe. Its Windows variant is based on the leaked LockBit 3 builder, with operational similarities to DarkRace and Donex. Helldown’s Linux variant targets VMware ESXi environments and includes code to enumerate and kill running VMs before encryption — a technique designed to maximize encryption coverage by ensuring VM files are not locked by running processes. Operationally, Helldown is less sophisticated than established groups: it uses batch files to terminate target processes rather than building that functionality into the ransomware itself, and it exfiltrates indiscriminately rather than selectively — data packs on its portal reach up to 431 GB in a single instance.
The undisclosed vulnerability angle is the most significant element here. If Helldown has access to a private n-day or zero-day against Zyxel — obtainable by diffing firmware 5.38 and 5.39 to identify patched code paths and reverse-engineer the pre-patch behavior — that gives them reliable initial access against any organization still running older firmware. CVE-2024-42057 exploitation details were not public at time of recording. If you are running Zyxel firewalls as VPN endpoints, upgrading to firmware 5.39 or later is the immediate mitigation. The attack chain after initial VPN access is standard: establish SSL VPN connection, access domain controllers, move laterally, disable endpoint defenses, then deploy ransomware.
Leave a Reply