Global Law Enforcement Operation Targets 8Base Ransomware Leak Site

Update - The dark web leak site of 8Base, a ransomware group known to deploy a variant of the Phobos ransomware, was reportedly seized, according to TechCrunch on Monday. A law enforcement seizure notification on the dark web leak site showed logos from multiple agencies, including Europol, the Justice Department, the UK National Crime Agency (NCA) and more.

According to local media on Monday, a global law enforcement operation has reportedly led to the arrest of four suspects that deployed the Phobos ransomware. A Tuesday post from Europol confirmed the arrests and the takedown of 27 servers linked to the criminal network.

Key Details:

• Europol said the four Russian nationals are suspected of deploying the Phobos ransomware variant in attacks aimed at extorting victims across Europe and beyond

• Europol said as a result of the operation, law enforcement was able to warn more than 400 companies worldwide of ongoing ransomware attacks

• According to Europol: “This complex international operation, supported by Europol and Eurojust, involved law enforcement agencies from 14 countries. While some countries focused on the investigation into Phobos, others targeted 8Base, with several participating in both”

Why It Matters: The disruption is a knock to the operations of both the Phobos and 8Base ransomware. The Phobos ransomware has been used to successfully target more than 1,000 public and private entities in the U.S. and worldwide, and extorted ransom payments worth more than $16 million dollars, according to the U.S. government last year. 

Meanwhile, 8Base has been active since March 2022 and is known for utilizing double extortion tactics against a variety of victims, including the healthcare and public health sector.

“8Base also drew attention for its similarities with the RansomHouse ransomware with regard to ransom notes and copies it used in its leak site,” according to researchers with Trend Micro in an analysis. “The 8Base ransomware also makes use of the Phobos ransomware version 2.9.1, which uses SmokeLoader for initial obfuscation for ingress, unpacking, and loading of the payload.”

The Background: The Phobos ransomware group is structured as a ransomware-as-a-service model, and its affiliates have targeted entities including local governments, emergency services, education, public healthcare, and critical infrastructure. 

In 2024, the U.S. government and other international law enforcement agencies took several steps to crack down on Phobos ransomware operations. In February 2024, the government released a cybersecurity advisory disseminating the group’s known tactics and indicators of compromise (IoC) to help security teams defend against them. In November 2024, the Justice Department unsealed criminal charges against a Russian national (Evgenii Ptitsyn) for the sale, distribution and operation of the ransomware, after extraditing him from South Korea.

“The Phobos and 8BASE ransomware strains had a significant impact on the UK, with law enforcement providing support to over 200 victims,” said Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, in a statement provided to Vulnerable U. “As a result of intelligence obtained during the investigation, the NCA and our policing partners were able to prevent a number of businesses who were targeted by these ransomware strains from succumbing to encryption and becoming victims, therefore mitigating the devastating impact an attack would have had on their companies.”

This article was updated on Feb. 11 with new information from Europol detailing the law enforcement operation and with a statement from the NCA.