Law Enforcement Operation Takes Down 8Base Ransomware Group
An international law enforcement operation has taken down the negotiation and data leak sites of the 8Base ransomware group. The operation saw four individuals – two men and two women – arrested across different locations in Phuket, Thailand, with law enforcement officers seizing mobile phones, laptop computers, and digital wallets. The four individuals now face charges of conspiracy to commit an offense against the United States and conspiracy to commit wire fraud.
8Base data leak site seized by law enforcement.
The 8Base ransomware group emerged in March 2022, initially keeping a low profile until June 2023 when the group started leaking data stolen in its attacks. The group is believed to consist of experienced hackers, potentially from a different ransomware group. VMWare has linked the group to another ransomware operation, RansomHouse, due to similarities in their data leak sites and ransom notes, although it is unclear if the same individuals operate both ransomware groups.
8Base was responsible for more than 1,000 ransomware attacks worldwide, including attacks on healthcare organizations. The U.S. Department of Health and Human Services (HHS) issued an Analyst Note about the group in November 2023 due to the threat posed to the healthcare and public health sector.
The 8Base group mostly targeted small and medium-sized businesses that lacked sophisticated cybersecurity defenses and typically used phishing emails, exploit kits, and drive-by downloads for initial access. While the attacks did not result in massive ransom payments, the group conducted attacks in high volume and obtained more than $16 million in ransom payments. The majority of the group’s victims are located in the United States, United Kingdom, and Brazil.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
8Base took advantage of the infrastructure of the Phobos ransomware operation, and after breaching networks, deployed a version of Phobos ransomware, adding the .8base or .eight extensions to encrypted files. The group engaged in double extortion tactics, breaching networks, stealing data, and using ransomware to encrypt files. The group demanded ransom payments in exchange for the decryption keys and to prevent the publication of the stolen data on its data leak site. The group then used cryptocurrency mixing services to hide the ransom payments.
The law enforcement operation, Operation Phobos Aetor, involved the U.K. National Crime Agency (NCA), Federal Bureau of Investigation (FBI), Europol, and law enforcement agencies in Bavaria, Belgium, Czechia, France, Germany Japan, Romania, Spain, Switzerland, and Thailand. The group’s negotiation and data leak sites have been seized, and 27 servers have been taken down. Banners have been added to the sites stating they have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg. Europol said the operation identified more than 400 potential victims who have now been warned about ongoing or imminent attacks.
The arrests were made at the request of Swiss authorities, and the Thai government has been asked to extradite the unnamed suspects to Switzerland to face charges related to attacks on 17 Swiss companies between April 30, 2023, and October 26, 2024. According to Europol, the four arrested individuals are all Russian nationals. A suspected Phobos administrator was arrested in South Korea in June 2024 and has since been extradited to the United States to face charges, and a key Phobos affiliate was arrested in Italy in 2023.
Update:
The U.S. Department of Justice has released the names of two suspected Phobos ransomware affiliates arrested by Thai authorities in Phuket and has unsealed the charges against those individuals. The two Russian nationals, Roman Berezhnoy (33) and Egor Nikolaevich Glebov (39), are alleged to have operated the 8Base and Affiliate 2803 ransomware affiliate organizations and, along with others, deployed Phobos ransomware on victims’ networks between May 2019 and October 2024. After breaching victims’ networks, Berezhnoy & Glebov identified and exfiltrated sensitive data then encrypted files and demanded payment to obtain the keys to decrypt data and prevent the publication of the stolen data on their data leak site. The pair are alleged to have conducted attacks on more than 1,000 attacks on public and private entities, including a children’s hospital, healthcare providers, and educational institutions.
Berezhnoy & Glebov already face charges in Switzerland, to which a string of charges has been added in the United States. If extradited to the United States, the pair will face one count of conspiracy to commit wire fraud, one count of wire fraud, one count of conspiracy to commit computer fraud and abuse, three counts of intentional damage to a protected computer, three counts of extortion related to the damage of a protected computer, one count of unauthorized access and obtaining information from a protected computer, and one count of transmitting a threat to impair the confidentiality of stolen data. Each count carries a maximum sentence of between 5 years and 20 years in jail, potentially resulting in a sentence of up to 100 years in jail.
The Department of Justice has previously charged another Russian national in connection with the Phobos ransomware operation. Evgenii Ptitsyn is alleged to have administered the sale, distribution, and operation of Phobos ransomware. He was extradited from South Korea last year and made an initial court appearance in the U.S. District Court for the District of Maryland on November 4, 2024.
