Major Crackdown on Ransomware Group 8Base: Four Arrested and Servers Seized

In a significant international operation, law enforcement agencies from 14 countries have apprehended four key leaders of the ransomware group known as 8Base, which is recognized as the largest affiliate of the Phobos ransomware. This group has been implicated in extorting substantial ransom payments on a global scale.

The operation, which took place last week, was notably supported by the FBI, the Swiss Federal Prosecutor's Office, and the Swiss Federal Police (Fedpol). 8Base is under investigation for allegedly utilizing a variant of the Phobos ransomware to demand high ransom payments worldwide, employing a method known as 'double extortion' commonly used by ransomware groups.

Previously, the Phobos ransomware had targeted the Swiss software company Concevis, affecting various Swiss federal agencies. Among its victims are health institutions, including hospitals and pharmacies, according to the Central Cybercrime Unit of Bavaria (ZCB), which played a role in this coordinated effort.

On Sunday, law enforcement managed to seize the IT infrastructure of the 8Base group, which was subsequently taken offline by the Bavarian State Criminal Police Office. A court in Bamberg authorized the seizure of a total of 115 servers, with an additional 15 servers also confiscated upon request. Europol reported that a total of 27 servers linked to the criminal network were seized, including 17 located in Germany. The ZCB noted that 365 Phobos-related attacks occurred within Germany alone.

This operation builds upon prior arrests connected to Phobos activity. In June, an administrator of Phobos was arrested in South Korea and later extradited to the United States, where he faces charges related to multiple ransomware attacks on critical infrastructure. Additionally, Europol reported the arrest of another Phobos affiliate in Italy in 2023, who was also connected to the 8Base group. The European Cybercrime Centre (EC3) has provided support for the investigation since early 2019.

According to the ZCB, the Bavarian State Criminal Police Office successfully warned 240 companies across 30 countries about potential encryption threats. The list of these firms includes 55 from the United States, 35 from France, 25 from Japan, and 18 from Germany. The president of the BLKA, Norbert Radmacher, expressed satisfaction with the outcome, stating that over a hundred victims worldwide were safeguarded from data encryption. Given that a successful ransomware attack could lead to an average loss of approximately five million euros, the potential savings from this operation could exceed half a billion euros.

The Phobos ransomware was first detected in December 2018 and has been frequently deployed in large-scale attacks targeting organizations and businesses globally. Europol has indicated that Phobos primarily affects small and medium-sized enterprises, often due to inadequate cybersecurity measures.