Phobos Ransomware Leader Facing 20 Years in Prison After Pleading Guilty to Hacking Charges
Evgenii Ptitsyn, the 43-year-old Russian national identified as the key developer and administrator behind the Phobos ransomware-as-a-service operation, pleaded guilty to wire fraud charges on Wednesday and is now facing up to 20 years in prison, with sentencing scheduled for July 15. Ptitsyn — who operated under the aliases “derxan” and “zimmermanx” — was arrested in South Korea and extradited to the U.S. in November 2024; he is accused of building and maintaining Phobos, distributing it to criminal affiliates who paid him roughly $300 per decryption key after successful attacks, and personally controlling the cryptocurrency wallets that received those proceeds. Since 2020, Phobos has been used to attack more than 1,000 organizations worldwide — including hospitals, school districts, emergency services, and government contractors — collecting at least $16 million in ransom, with individual victims ranging from a Connecticut school system that paid nothing to a California public school district that paid $300,000.
CISA Adds Actively Exploited VMware Aria Operations Flaw CVE-2026-22719 to KEV Catalog
CISA has added CVE-2026-22719 — a CVSS 8.1 unauthenticated command injection flaw in Broadcom VMware Aria Operations — to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild, with successful attacks capable of achieving remote code execution on affected systems while a support-assisted product migration is in progress. Broadcom acknowledged reports of exploitation but said it cannot independently confirm their validity; the flaw was patched alongside two companion vulnerabilities — CVE-2026-22720 (stored XSS) and CVE-2026-22721 (privilege escalation to admin access) — in an advisory released last month that organizations should treat as a bundle. Federal Civilian Executive Branch agencies are required to apply the fixes by March 24, 2026, but given Aria Operations’ widespread deployment as an observability and IT operations management platform, all enterprise organizations running the product should treat patching as urgent regardless of regulatory mandate.
Quantum Decryption of RSA Is Much Closer Than Expected
A newly published paper describing the JVG algorithm has upended the conventional timeline for quantum-enabled RSA and ECC decryption, demonstrating that current public-key cryptography can be broken using significantly fewer quantum resources than Shor’s algorithm requires — potentially collapsing the expected window for post-quantum cryptography migration from roughly a decade to something far more urgent. Unlike Shor’s algorithm, which demands an estimated one million qubits and was considered at least ten years away from practical realization, the JVG approach factors large prime numbers more efficiently, accelerating the feasibility of a cryptanalytically relevant quantum computer at a time when nation-states and criminal groups are already engaged in widespread “harvest now, decrypt later” operations against encrypted data. Security researchers are urging organizations to immediately accelerate their migration to NIST’s post-quantum cryptography standards, warning that any data stolen today and protected by RSA or ECC could be retroactively decrypted once a capable system emerges.
AkzoNobel Confirms Cyberattack on US Site
Dutch paint giant AkzoNobel — the maker of Dulux, Glidden, and other major brands — has confirmed to BleepingComputer that hackers breached the network of one of its U.S. manufacturing sites, making it the latest industrial company to suffer a confirmed cyberattack in recent weeks. The company did not disclose the nature of the attack, what data may have been accessed or stolen, or how the threat actors initially gained entry, and said its investigation is ongoing; the Anubis ransomware group, which launched in late 2025 as a rebrand of the defunct Cactus ransomware operation, claimed responsibility on its dark web leak site and threatened to publish stolen files. AkzoNobel employs roughly 34,000 people globally and reported revenues of €11.2 billion last year, making it one of the world’s largest coatings and specialty chemicals companies; the incident adds to a troubling pattern of ransomware groups specifically targeting the manufacturing sector for its operational disruption potential and historically weaker segmentation between IT and OT networks.
Attackers Are Using Your Network Against You, According to Cloudflare
Cloudflare’s 2026 Annual Threat Report found that adversaries are increasingly turning organizations’ own legitimate cloud infrastructure against them — blending malicious traffic into normal business operations via public cloud resources, exploiting identity-based vulnerabilities in seams between cloud services, and using trusted platforms to stage and deliver phishing lures in ways that bypass conventional email and network defenses. The report identified this “living off trusted infrastructure” trend as more consequential than novel malware or zero-days, arguing that when attackers abuse cloud platforms organizations already trust, traditional indicators of sophistication become effectively useless for triage and response. Cloudflare researchers warned that the lines between cybercriminal and nation-state tradecraft are converging around this technique, and that security teams relying on attacker sophistication as a proxy for risk level are dangerously miscalibrated for the current landscape.
