Global Law Enforcement Operation Impacts 8Base Ransomware Leaks Site

International law enforcement agencies have seized the dark web leak site of the 8Base ransomware gang as part of a coordinated takedown operation.  

A message on the gang’s site, confirmed by TechCrunch, states that the Bavarian State Criminal Police Office led the operation on behalf of the Public Prosecutor General in Bamberg.

Authorities from Europe, Japan, the U.S., and the U.K. participated, with the U.K.’s National Crime Agency confirming its supportive role.

8Base, known for targeting multiple sectors across the U.S., including healthcare, has used ransomware strains like Phobos in its attacks. The gang previously claimed responsibility for a cyberattack on the United Nations Development Programme.  

It justified its actions by branding itself as ethical “pentesters” exposing companies that neglect data security. The U.S. government had previously warned about 8Base’s indiscriminate attacks and secured the extradition of an alleged Russian hacker linked to Phobos ransomware operations.

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, 8Base emerged in March 2022, and has rapidly become one of the most active and formidable cybercriminal groups.  

Their activity surged dramatically in early 2024, cementing their status as a major threat. Analysts speculate that 8Base may be an offshoot of experienced Ransomware-as-a-Service (RaaS) operators, with possible ties to RansomHouse, a data extortion group that gained prominence in late 2022 and early 2023. Additionally, links to the leaked Babuk ransomware builder have been suggested.

8Base employs a double extortion strategy, exfiltrating sensitive data before deploying ransomware to maximize leverage over victims. The group is highly adept at evading security defenses, frequently modifying Windows Defender Firewall settings to bypass protections.  

They also delete Volume Shadow Copies (VSS) to hinder data recovery, ensuring victims have minimal options outside of paying the ransom.

Unlike traditional RaaS groups, 8Base does not openly recruit affiliates through a public platform. Instead, they appear to operate privately with a vetted group of attackers, employing multiple ransomware payloads.  

Their most commonly used strain is a customized version of Phobos, often delivered via SmokeLoader. These attacks are fast and efficient, with encrypted files typically bearing a “.8base” extension.

8Base employs a sophisticated arsenal of tools to escalate privileges and maintain persistence within compromised networks. Using Mimikatz, they extract credentials to gain deeper access, while SoftPerfect Network Scanner helps them map out potential targets within an organization’s infrastructure.  

To move laterally across the network, they leverage PsExec and Remote Desktop Protocol (RDP), enabling them to infiltrate additional systems efficiently. Their operations are almost exclusively focused on Windows environments, with no known evidence of targeting Linux systems.  

This highly targeted approach, combined with their advanced tactics, allows 8Base to maximize disruption and maintain a strong foothold in compromised networks.

8Base predominantly targets financial, healthcare, and IT sectors, but about half of their victims belong to business services, manufacturing, and construction industries. Their ransom demands are known to be aggressive, often accompanied by threats to publicly release stolen data on their “name and shame” leak site if payment is not made promptly.

Throughout 2023 and 2024, 8Base has consistently ranked among the most active ransomware groups, demonstrating a high volume of attacks and a deep understanding of ransomware operations and security evasion techniques.  

Their strategic approach, reliance on private affiliates, and rapid operational tempo continue to make them a significant cybersecurity threat.

Notable victims include Volkswagen Group, Inno Group, GPI Corporate, Lyon Terminal, East Coast Fisheries, Keystone Insurance Services, Spectra Industrial, Kansas Medical Center, Danbury Public Schools, BTU, Advanced Fiberglass Industries, ANL Packaging and more.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.