Law enforcement agencies from more than a dozen countries in a joint operation arrested four people linked to the Russian-based 8Base ransomware group and shut down more than 100 servers associated with the criminal operation, the latest international effort to push back against ransomware gangs.

The initiative, “Operation Phobos Aetor,” also was the most recent shot at the Phobos ransomware-as-a-service (RaaS) group, which counts 8Base as its largest affiliate. Along with the arrests, the agencies also seized more than 100 servers and the data leak site associated with 8Base and were able to warn more than 400 companies around the world of ongoing or imminent ransomware attacks, according to Europol.

In addition, authorities collected devices like laptops and mobile phones as well as digital wallets.

The U.S. Justice Department (DOJ) this week also indicated two Russian nationals – Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39 – who investigators said operated the 8Base group, which used a variant of the Phobos ransomware to attack more than 1,000 organizations around the world and collected more than $16 million in ransom payments over the past several years.

Berezhnoy and Glebov were among the four 8Base members that Bavarian police said were arrested in Thailand. They face a variety of charges, including wire fraud, intentionally damaging protected computers, extortion, and conspiracy.

Five Years of Attacks

According to the DOJ, the two Russians and others launched attacks between 2019 and at least October 2024 while operating as a Phobos affiliate under the names like 8Base and Affiliate 2803. Europol investigators also said that 8Base members used Phobos’ infrastructure to create its own ransomware variant that include its own encryption and delivery mechanisms.

“This group has been particularly aggressive in its double extortion tactics, not only encrypting victims’ data but also threatening to publish stolen information unless a ransom was paid,” Europol noted.

The law enforcement agency noted that Phobos targets SMBs with on high-volume attacks, adding that its RaaS model “has made it particularly accessible to a range of criminal actors, from individual affiliates to structured criminal groups such as 8Base. The adaptability of this framework has allowed attackers to customize their ransomware campaigns with minimal technical expertise, further fueling its widespread use.”

Some of the law enforcement agencies involved in Operation Phobos Aetor focused their efforts on 8Base while other targeted Phobos. Some targeted both ransomware groups, according to Europol.

Broad Array of Victims

8Base targeted various industries in its attacks, including finance, manufacturing, IT, and health care, with most victims in the United States and Brazil, according to cybersecurity firm SentinelOne. The threat actors gained initial access into targeted systems through various tactics, including phishing campaigns and initial access brokers (IABs), with the ransomware being delivered as a late-stage payload via SmokeLoader and other malware campaigns, researchers wrote.

The DOJ said that the victims of 8Base attacks included a children’s hospital, health care providers, and educational institutions.

“Prior to Operation PHOBOS AETOR, there had been intermittent arrests of individual affiliates associated with PHOBOS, though this operation represents the most comprehensive law enforcement action, to date, against Phobos/8Base,” SentinelOne researchers wrote.

The intermittent arrests include one last year of Evgenii Ptitsyn, a Russian national arrested in South Korea and extruded to the United States for his role in Phobos attacks. In addition, another Phobos player was arrested in Italy in 2023 on a French warrant. In addition, the FBI and CISA last year issued a warning about Phobos and listed associated indicators of compromise (IaC).