Ransomware suspects arrested in cybercrime crackdown

Four individuals thought to be behind the 8Base ransomware group – whose software has been used in large-scale attacks against businesses and organisations worldwide – have been taken into custody.

Those arrested, all Russian nationals, are suspected of deploying a variant of Phobos ransomware to extort payments from victims across Europe and beyond, according to a Europol statement, which also reports that 27 servers linked to the network have been shut down.

The arrests come after an administrator of Phobos, Evgenii Ptitsyn, was arrested in South Korea in June 2024 and extradited to the US, where he faces prosecution for orchestrating ransomware attacks against critical infrastructure, business systems, and individuals. Another Phobos affiliate was arrested in Italy in 2023.

"As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks," said Europol.

Yesterday, the US Department of Justice identified two of the Russian nationals – Roman Berezhnoy (33) and Egor Nikolaevich Glebov (39) – and accused them of victimising "more than 1,000 public and private entities in the US and around the world and [receiving] over $16m in ransom payments."

They allegedly hacked into victim computer networks, copied and stole files and programmes on their network, and encrypted the original versions of the stolen data with Phobos ransomware. They are then accused of extorting in exchange for the decryption keys to regain access to the encrypted data.

First detected in December 2018, Phobos' Ransomware-as-a-Service (RaaS) model has turned it into a long-standing cybercrime tool that can be deployed by criminals with minimal technical expertise.

"8Base developed its own variant of the ransomware, using its encryption and delivery mechanisms to tailor attacks for maximum impact," said Europol.

"This group has been particularly aggressive in its double extortion tactics, not only encrypting victims' data but also threatening to publish stolen information unless a ransom was paid."

8Base is thought to have focused on targeting smaller companies with smaller ransom demands, sometimes in the hundreds or thousands of dollars range, unlike other networks targeting large corporations that can seen millions of dollars in ransom.