Global Police Operation Leads to Arrest of 8Base Ransomware Group Members

In a coordinated effort by law enforcement agencies from 14 countries, four Russian nationals have been arrested for their alleged involvement in the 8Base ransomware group. The suspects were apprehended in Phuket, Thailand, facing multiple charges that could lead to decades in prison. In addition, 27 servers linked to the criminal network were dismantled.

The 8Base gang has been utilizing a variant of Phobos ransomware to extort substantial sums from victims across Europe, the United States, and beyond. First identified in December 2018, Phobos ransomware has been deployed in numerous large-scale attacks against various businesses and organizations worldwide.

According to authorities, 8Base is believed to have targeted over 1,000 public and private entities, amassing more than $16 million in ransom payments. Europol noted that, unlike more high-profile ransomware groups that focus on large corporations, Phobos primarily targets small to medium-sized businesses, which often lack the necessary cybersecurity protections.

The group’s Ransomware as a Service (RaaS) model has made it accessible to a wide range of criminal actors, from individuals to organized crime syndicates like 8Base. This group has developed its own version of the ransomware, customizing its encryption and delivery methods to maximize damage.

8Base has also employed aggressive double extortion tactics, encrypting victims’ data while threatening to release stolen information if ransoms are not paid. This strategy has drawn significant attention from international law enforcement. In 2023, a key affiliate was arrested in Italy, and last summer, an administrator was detained in South Korea and extradited to the U.S.

Two of the arrested individuals, Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, have been charged in the United States. They are accused of executing ransomware attacks between May 2019 and at least October 2024, with victims reportedly including a children’s hospital, healthcare providers, and educational institutions.

The U.S. Department of Justice stated that after a successful Phobos attack, criminal affiliates would pay fees to Phobos administrators for decryption keys to regain access to their data. Each ransomware deployment was tagged with a unique alphanumeric string, facilitating the connection to the respective decryption key, which affiliates were required to pay into a designated cryptocurrency wallet.

The UK’s National Crime Agency (NCA) highlighted the significant impact of 8Base’s activities on businesses in the UK and noted that the investigation has helped prevent several organizations from becoming victims of encryption.