Four Russian nationals have been arrested for their alleged involvement in the 8Base ransomware group after a joint police operation by 14 countries.
The suspects were arrested in Phuket, Thailand, and charged with a number of offenses, potentially carrying decades in prison. At the same time, 27 servers linked to the criminal network were taken down.
The gang was deploying a variant of Phobos ransomware to extort large payments from victims across Europe, the US, and beyond, authorities said.
First detected in December 2018, Phobos ransomware has been widely used in large-scale attacks against businesses and organizations worldwide.
8Base is believed to have targeted more than 1,000 public and private bodies, raking in more than $16 million in ransom payments in all.
"Unlike high-profile ransomware groups that target major corporations, Phobos relies on high-volume attacks against small to medium-sized businesses, which often lack the cybersecurity defences to protect themselves," said Europol.
"Its Ransomware as a Service (RaaS) model has made it particularly accessible to a range of criminal actors, from individual affiliates to structured criminal groups such as 8Base."
8Base developed its own variant of the ransomware, using its encryption and delivery mechanisms to tailor attacks and cause the biggest impact possible.
Who are 8Base?
It has been particularly aggressive in its use of double extortion techniques, which involve both encrypting victims' data and threatening to publish stolen information unless a ransom is paid.
As a result, the group has been the focus of action by international law enforcement for a while. A key Phobos affiliate was arrested in Italy in 2023, for example, while last summer an administrator was arrested in South Korea and extradited to the US.
Two of the four people arrested this week have now been charged in the US for their part in the group: Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, both of whom are Russian nationals.
They are accused of carrying out ransomware attacks between May 2019 and at least October 2024. Victims are believed to include a children’s hospital, health care providers, and educational institutions.
RELATED WHITEPAPER
"After a successful Phobos ransomware attack, criminal affiliates paid fees to Phobos administrators for a decryption key to regain access to the encrypted files," said the US Department of Justice.
"Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate."
The UK's National Crime Agency (NCA) said the group had had a significant impact on the UK and that, as a result of the investigation, it was able to prevent a number of targeted businesses from falling victim to encryption.
MORE FROM ITPRO
- The hidden cost of ransomware is way more painful than many realize
- How to deal with ransomware remediation
- UK firms are dangerously overconfident about paying ransoms
-
Westcon-Comstor unveils new managed SOC solution for Cisco partnersNews Powered by Cisco XDR, the new offering will enable partners to tap into new revenue streams, the company said
-
April rundown: MITRE frights and Microsoft launches Recall (again)ITPro Podcast As CISA delivered an eleventh-hour reprieve for the CVE database, AWS reportedly began to pause some data center leases
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reportedNews Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘We are now a full-fledged powerhouse’: Two years on from its Series B round, Hack the Box targets further growth with AI-powered cyber training programs and new market opportunitiesNews Hack the Box has grown significantly in the last two years, and it shows no signs of slowing down
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Law enforcement needs to fight fire with fire on AI threatsNews UK law enforcement agencies have been urged to employ a more proactive approach to AI-related cyber crime as threats posed by the technology accelerate.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
