FOCUS MODE
EXTRACT IOC
Threat Research

International Operation Targets 8Base and Phobos Ransomware Gangs

SocRadar
International Operation Targets 8Base and Phobos Ransomware Gangs
In a global crackdown, law enforcement agencies have dismantled the infrastructure of the 8Base ransomware gang and arrested four individuals associated with the Phobos ransomware. The operation highlights international collaboration against cybercrime and the continuous threat posed by ransomware groups affecting businesses worldwide. Affected: 8Base ransomware group, Phobos ransomware group, 17 Swiss companies, over 1,000 victims worldwide

Keypoints :

  • Law enforcement agencies seized the 8Base ransomware gang’s dark web sites.
  • The operation involved multiple agencies, including the NCA, FBI, and Europol.
  • 8Base has been conducting ransomware attacks using double extortion tactics since 2023.
  • Operation Phobos Aetor led to the arrest of four individuals in Thailand.
  • The suspects are linked to ransomware attacks on at least 17 Swiss companies.
  • Authorities confiscated over 40 digital assets from the arrested individuals.
  • The financial impact of the Phobos ransomware campaign is estimated at million.
  • Investigations revealed connections between 8Base and Phobos ransomware.
  • Similarities were noted in ransom notes and infrastructure between 8Base and RansomHouse.
  • This operation is part of a broader crackdown on significant ransomware groups.
  • SOCRadar offers threat intelligence solutions to help organizations combat ransomware threats.
  • The operation emphasizes the need for international collaboration to combat cybercrime.

MITRE Techniques :

  • Tactic: Initial Access (T1071); Procedure: Use of compromised credentials to access networks of Swiss companies.
  • Tactic: Execution (T1059); Procedure: Deployment of ransomware via phishing or other malicious methods against victims.
  • Tactic: Impact (T1486); Procedure: Data encryption and exfiltration from compromised systems.
  • Tactic: Command and Control (T1071); Procedure: Utilization of the dark web to negotiate ransoms and leak data.

Indicator of Compromise :

  • [Domain] 8Base’s data leak site
  • [Domain] Phobos ransomware negotiation site
  • [Email Address] example@example.com (generic placeholder as specific emails not provided)
  • [Hash] Some encrypted files featured the “.8base” extension (further analysis needed)

Full Story: https://socradar.io/international-operation-target-8base-phobos-ransomware/

Tags: EXFILTRATION, FINANCIAL, LEAK, INITIAL ACCESS, IMPACT, EMAIL, DARK WEB, PHISHING