A global law enforcement action, Operation Phobos Aetor, has stopped the 8Base ransomware group’s threat and data leak sites. Two men and two women were caught in different places in Phuket, Thailand. The law enforcement officers confiscated laptops, cellular phones, and digital wallets. The four persons are currently facing conspiracy charges to commit wire fraud and to commit an offense against the U.S.A.
The 8Base ransomware group appeared in March 2022, at first maintaining a low profile until it started leaking stolen data in June 2023. The group is known to include seasoned hackers, possibly from another ransomware group. VMWare has connected the group to the RansomHouse ransomware operation because of commonalities in their ransom notes and data leak sites. However, it is uncertain whether the same persons work in the two ransomware groups.
8Base conducted over 1,000 ransomware attacks around the world, including attacks on HIPAA-covered healthcare organizations. In November 2023, the U.S. Department of Health and Human Services (HHS) released an Analyst Note regarding the ransomware group because of the threat directed at the healthcare and public health sector.
Most of the 8Base group targets were small and medium-sized companies that didn’t have advanced cybersecurity protection. The group usually employed exploit kits, drive-by downloads, and phishing emails for initial access. Though the attacks didn’t end in substantial ransom payments, the group carried out many attacks and got over $16 million in ransom payments. Most of the victims are from Brazil, the United States, and the United Kingdom.
8Base used the system of the Phobos ransomware operation. After the network breach, the group used a Phobos ransomware version, putting the .8base or .eight extensions on encrypted files. The group used the double extortion tactics, after breaching networks, it stole data and encrypted files using ransomware. The group required ransom payments for the release of decryption keys and to stop the exposure of the stolen information on its data leak website. The group employed cryptocurrency mixing services to conceal the ransom payments.
Operation Phobos Aetor was participated by the Europol, Federal Bureau of Investigation (FBI), U.K. National Crime Agency (NCA), and the law enforcement agencies in Belgium, Bavaria, Czechia, France, Japan, Germany, Romania, Switzerland, Spain, and Thailand. The operation seized the group’s negotiation and data leak websites and shut down 27 servers. Banners were posted on the sites stating seizure by the Bavarian State Criminal Police Office representing the Public Prosecutor General’s Office in Bamberg. Europol mentioned the operation discovered over 400 prospective victims who were cautioned about continuing or impending attacks.
The Swiss authorities requested the apprehensions and asked The Thai government to extradite the suspects to Switzerland to be charged with crimes associated with the attacks on 17 Swiss firms from April 30, 2023, to October 26, 2024. As per Europol, there were four captured Russian nationals. In June 2024, a suspected Phobos administrator was detained in South Korea and extradited to the U.S. for prosecution. One Phobos affiliate was detained in Italy in 2023.
Image credit: andranik123, AdobeStock
