8Base: Four arrests and 17 servers seized in Germany

In a coordinated operation by law enforcement authorities from 14 countries, four leaders of the ransomware group 8Base, the largest affiliate of Phobos, were arrested last week. The arrest in Thailand was made together with the FBI, the Office of the Attorney General of Switzerland and the Swiss Federal Police (Fedpol). 8Base is suspected of having extorted high ransom payments worldwide with a variant of the Phobos ransomware. Like many ransomware groups, it used double extortion.

Phobos had already attacked the Basel-based software company Concevis in the past, which also affected Swiss federal authorities. However, the list of victims also includes healthcare facilities such as hospitals and pharmacies, according to the Bavarian Cybercrime Center (ZCB), which is based at the Bamberg Public Prosecutor General's Office. It also took part in the campaign by international law enforcement agencies.

Last Sunday, the "IT infrastructure of the 8Base group was seized and taken offline by the Bavarian State Criminal Police Office", the ZCB announced. "Previously, the Bamberg district court had ordered the seizure of a total of 115 servers", according to the ZCB. A further 15 servers were confiscated by order. According to Europol, a total of 27 servers connected to the criminal network were seized – 17 of which were in Germany, the ZCB reported. According to the ZCB, 365 Phobos attacks took place in Germany.

Years of investigative work

The operation, which involved the FBI, the Swiss Federal Prosecutor's Office Fedpol, the ZCB, the Bavarian State Criminal Police Office (BLKA) and others, follows a series of arrests in connection with Phobos. In June, a Phobos administrator was arrested in South Korea and subsequently extradited to the United States. He is now facing charges for various ransomware attacks on critical infrastructure. According to Europol, another Phobos affiliate was arrested in Italy in 2023. They could be assigned to the criminal group 8Base. Europol's European Cybercime Center (EC3) has been supporting the investigation since the beginning of 2019.

According to the ZCB, the BLKA was able to warn "240 companies from 30 countries about encryption" – 55 companies are from the USA, 35 from France, 25 from Japan and 18 companies from Germany. "It is extremely pleasing that the Bavarian State Office of Criminal Investigation was capable of protecting well over one hundred victims worldwide from having their data encrypted. With a statistical average loss of around five million euros in the event of a successful ransomware attack, this amounts to a mathematically incredible sum of well over half a billion euros," comments BLKA President Norbert Radmacher. According to Europol, law enforcement authorities have warned more than 400 companies worldwide of ongoing or imminent ransomware attacks.

According to Europol, Phobos ransomware was first spotted in December 2018 and is frequently used in large-scale attacks on companies and organizations around the world. Phobos mainly targets small and medium-sized companies, which are often not sufficiently protected.

(mack)