On February 10, 2025, a coordinated international operation led to the arrest of four Russian nationals linked to the notorious 8Base ransomware group. The suspects—Roman Berezhnoy, Egor Nikolaevich Glebov, and two unnamed accomplices—were apprehended in Phuket, Thailand. This global crackdown, codenamed “Operation Phobos Aetor,” involved law enforcement agencies from 14 countries and resulted in the dismantling of critical infrastructure used by the group. Authorities seized over 40 pieces of evidence, including laptops, mobile phones, and cryptocurrency wallets. The group is accused of extorting over $16 million through ransomware attacks targeting more than 1,000 victims worldwide.
Operation Phobos Aetor
Operation Phobos Aetor was a meticulously coordinated international effort that culminated in the arrest of four Russian nationals in Phuket, Thailand, on February 10, 2025. This operation targeted the 8Base ransomware group, a notorious affiliate of the Phobos ransomware-as-a-service (RaaS) network. Swiss authorities initiated the investigation after linking the group to ransomware attacks on 17 Swiss companies between April 2023 and October 2024. These attacks encrypted files, exfiltrated sensitive data, and demanded cryptocurrency payments in exchange for decryption keys.
The operation involved law enforcement agencies from 14 countries, including the FBI, Europol, Thailand’s Cyber Crime Investigation Bureau (CCIB), and the UK’s National Crime Agency (NCA). Raids were conducted across four locations in Phuket: Mono Soi Palai, Supalai Palm Spring, Supalai Vista Phuket, and Phyll Phuket x Phuketique Phyll. Officers seized over 40 pieces of evidence, including laptops, mobile phones, and cryptocurrency wallets suspected to hold ransom payments. Europol also confirmed the takedown of 27 servers tied to the group’s operations, along with their dark web negotiation and data leak sites.
The suspects—two men and two women—face charges of conspiracy to commit wire fraud and offenses against the United States. If convicted, they could face decades in prison. Thai Police Lieutenant General Trairong Phiwphan remarked that this operation demonstrated the power of global cooperation in dismantling transnational cybercrime networks.
Who Is the 8Base Ransomware Group?
The 8Base ransomware group, active since March 2022, has become one of the most aggressive and destructive cybercriminal organizations globally. Specializing in double-extortion tactics, the group encrypts victims’ files and exfiltrates sensitive data, threatening to leak it unless a ransom is paid. Their operations primarily target small and medium-sized businesses (SMBs) across industries such as healthcare, finance, IT, and manufacturing—sectors often lacking robust cybersecurity defenses.
8Base operates under a Ransomware-as-a-Service (RaaS) model, which enables affiliates with minimal expertise to deploy attacks using pre-configured tools. The group’s malware of choice is a customized variant of Phobos ransomware, which appends the “.8base” extension to encrypted files. Their attacks typically begin with phishing emails or exploiting vulnerabilities in Remote Desktop Protocol (RDP) ports. Once inside a network, they escalate privileges using tools like Mimikatz and deploy their payload to encrypt files while stealing PII and other sensitive information.
A distinctive feature of 8Base’s operations is their “name-and-shame” strategy. Victims who refuse to pay ransoms are publicly listed on their dark web leak site, exposing stolen data to further pressure organizations into compliance. This tactic has been particularly effective in amplifying financial and reputational damage for victims.
The Victims of 8Base Ransomware
The 8Base ransomware group has left a trail of devastation in its wake, targeting over 1,000 victims worldwide and extorting more than $16 million. Their attacks have disproportionately affected small and medium-sized businesses (SMBs), which often lack the resources to implement robust cybersecurity measures. According to Europol, the group’s victims span industries such as manufacturing, healthcare, finance, and professional services. These sectors were particularly vulnerable due to the sensitive nature of the data they handle, including PII (personally identifiable information) and proprietary business information.
The group’s operations extended across continents, with the United States bearing the brunt of their attacks. Trend Micro reports that 71 machines in the U.S. were infected between January 2023 and March 2024, followed by significant activity in Brazil, the United Kingdom, and smaller nations like Costa Rica and Croatia. Manufacturing emerged as the most targeted sector, followed closely by healthcare and finance.
Notable victims include the United Nations Development Programme, a Canadian dental benefits agency for disabled individuals, and a Croatian port operator. These attacks disrupted operations, exposed sensitive data, and caused reputational damage. For example, in May 2023, 8Base publicly disclosed information from 67 victims on its leak site. Law enforcement also issued warnings to more than 400 companies about imminent ransomware attacks during the operation.
Europol has described 8Base’s double-extortion tactics as “particularly aggressive,” noting that their use of leaked Phobos ransomware allowed them to tailor attacks for maximum impact. Allan Liska, a ransomware expert at Recorded Future, emphasized how the group reinvested ransom payments into improving their malware capabilities. “When they first started, their code overlap with Phobos was nearly identical,” he explained. “Over time, they’ve invested their ransom payments into improving their code and have evolved into a highly efficient operation”.
How TeraDact Can Protect Against Similar Ransomware Attacks
One of the best things you can do to shield your organization from ransomware attacks like those orchestrated by the 8Base group is to implement advanced cybersecurity solutions that go beyond basic prevention. TeraDact offers a comprehensive suite of tools designed to protect sensitive data and mitigate the risks associated with sophisticated ransomware campaigns.
Why TeraDact Stands Out
TeraDact’s approach is particularly relevant in combating threats like 8Base, which employs double extortion tactics—encrypting files while threatening to leak stolen PII. The group’s use of AES-256 encryption, lateral movement techniques, and stealthy payload deployments highlights the need for robust defenses. TeraDact addresses these vulnerabilities with cutting-edge technologies that disrupt every stage of an attack lifecycle.
Key Features:
Data Redaction Technology: Unlike traditional encryption, TeraDact’s patented redaction technology breaks sensitive data into unreadable fragments. Even if attackers breach your network, they cannot reconstruct or exploit stolen information. This feature directly counters 8Base’s strategy of exfiltrating and publishing sensitive data to pressure victims.
Granular Access Controls: TeraDact allows organizations to assign highly specific permissions, ensuring only authorized personnel can access or modify critical files. This limits the damage from insider threats or compromised credentials often exploited in phishing attacks like those used by 8Base.
Real-Time Threat Detection: Advanced monitoring systems continuously analyze network activity for anomalies, such as unauthorized access attempts or encryption processes indicative of ransomware attacks. Immediate alerts enable rapid response, minimizing potential damage.
Incident Containment and Recovery: In cases where ransomware encrypts files, TeraDact isolates affected systems and provides tools to recover data without paying ransoms. This capability directly addresses 8Base’s reliance on ransom payments for decryption keys.
Regulatory Compliance Support: By safeguarding PII and other sensitive information, TeraDact helps organizations meet compliance requirements under laws like GDPR and HIPAA, reducing legal risks associated with data breaches.
Tailored Solutions for Modern Threats
The sophistication of groups like 8Base demands equally advanced countermeasures. From redacting sensitive information before it can be exfiltrated to detecting and neutralizing malicious activity in real time, TeraDact’s solutions are designed to outmaneuver even the most persistent attackers. As ransomware groups continue to evolve their tactics, partnering with a provider like TeraDact can make the difference between a contained incident and a catastrophic breach of your organization’s critical data.
Choose TeraDact for Comprehensive Data Protection
The arrest of key figures within the 8Base ransomware group highlights the ongoing battle against cybercriminals targeting vulnerable organizations worldwide. While law enforcement efforts like Operation Phobos Aetor disrupt criminal networks temporarily, businesses must adopt proactive measures to safeguard their systems and sensitive data.
TeraDact offers cutting-edge solutions tailored to prevent ransomware attacks and mitigate their impact when they occur. Contact us today for a free consultation on how our solutions can fortify your cybersecurity defenses against evolving threats.
