- 3,002
- 280
- 1,730
The US Department of Justice has charged two Russians arrested in Thailand during Operation Phobos Aetor. They are linked to the Phobos ransomware and their involvement in more than 1,000 ransomware attacks. Law enforcement also announced the seizure of the 8Base group's infrastructure.
The international operation Phobos Aetor involved the UK National Crime Agency (NCA), the US Federal Bureau of Investigation (FBI), Europol, as well as law enforcement agencies in Belgium, the Czech Republic, France, Bavaria, Germany, Japan, Romania, Spain, Switzerland, Sweden, and Thailand.
Earlier this week, Thai authorities announced the arrest of four suspects linked to the Phobos ransomware. Law enforcement conducted coordinated raids at four locations in Phuket, which resulted in the seizure of laptops, smartphones, and cryptocurrency wallets. The arrests were made at the request of Swiss authorities, who asked the Thai government to extradite the suspects. According to local media, the suspects carried out attacks on at least 17 Swiss companies between April 2023 and October 2024. At the same time as the Phobos operators were arrested, the 8Base ransomware group’s darknet sites were shut down. A “stub” appeared on the resources that were previously used to negotiate with victims and “drain” stolen data, stating that the sites were under government control. Shortly after, the US Department of Justice released the names of two Russians arrested in Thailand and charged with 11 counts. US law enforcement said that Roman Berezhnoy, 33, and Egor Glebov, 39, carried out extortion attacks between May 2019 and October 2024. They are alleged to be responsible for more than 1,000 attacks on companies around the world, and the 8Base group has been linked to ransom payments in excess of $16 million. According to the Justice Department, Berezhnoy and Glebov operated the 8Base and Affiliate 2803 platforms, which used the Phobos ransomware in their attacks. The charges against them include: wire fraud; conspiracy to commit wire fraud; conspiracy to commit computer fraud and abuse; intentional damage to protected computers; extortion involving damage to protected computers; threats to compromise the confidentiality of stolen data; unauthorized access to and retrieval of information from protected computers.
Recall that the US authorities had previously brought similar charges against Yevgeny Ptitsyn, another Russian citizen who was extradited to the US from South Korea late last year. He is believed to have played an administrative role in Phobos operations.
Europol representatives have also now released their own statement, announcing the seizure of 27 servers associated with the 8Base group, which allegedly led to the cessation of its activities.
In addition, Europol reported that one of Phobos' key partners was arrested in Italy back in 2023, which allowed investigators to infiltrate the group and obtain operational information. Ultimately, this helped protect hundreds of targets and prevent more than 400 extortion attacks around the world that were being prepared or had already begun.
[td]“This complex international operation, supported by Europol and Eurojust, involved law enforcement agencies from 14 countries. While some countries focused on investigating Phobos, others targeted 8Base, with some countries participating in both operations,” Europol explains.[/td]
[td]The 8Base ransomware group appeared back in March 2022, but remained virtually inactive for quite a long time. However, in June 2023, hackers suddenly began leaking data from multiple victim companies.
As VMware analysts reported at the time, 8Base is a rebranding of the well-known RansomHouse ransomware group, which claimed responsibility for hacking ADATA and AMD . In fact, the main difference between these ransomware was that RansomHouse openly recruited new partners, while 8Base did not.
It was also noted that, from a technical point of view, the 8Base malware was a custom version of the Phobos 2.9.1 malware, which was loaded via SmokeLoader. Phobos is a Windows-oriented RaaS malware that first appeared in 2019, and its code is similar to another well-known ransomware, Dharma.
[/td]
The international operation Phobos Aetor involved the UK National Crime Agency (NCA), the US Federal Bureau of Investigation (FBI), Europol, as well as law enforcement agencies in Belgium, the Czech Republic, France, Bavaria, Germany, Japan, Romania, Spain, Switzerland, Sweden, and Thailand.
Earlier this week, Thai authorities announced the arrest of four suspects linked to the Phobos ransomware. Law enforcement conducted coordinated raids at four locations in Phuket, which resulted in the seizure of laptops, smartphones, and cryptocurrency wallets. The arrests were made at the request of Swiss authorities, who asked the Thai government to extradite the suspects. According to local media, the suspects carried out attacks on at least 17 Swiss companies between April 2023 and October 2024. At the same time as the Phobos operators were arrested, the 8Base ransomware group’s darknet sites were shut down. A “stub” appeared on the resources that were previously used to negotiate with victims and “drain” stolen data, stating that the sites were under government control. Shortly after, the US Department of Justice released the names of two Russians arrested in Thailand and charged with 11 counts. US law enforcement said that Roman Berezhnoy, 33, and Egor Glebov, 39, carried out extortion attacks between May 2019 and October 2024. They are alleged to be responsible for more than 1,000 attacks on companies around the world, and the 8Base group has been linked to ransom payments in excess of $16 million. According to the Justice Department, Berezhnoy and Glebov operated the 8Base and Affiliate 2803 platforms, which used the Phobos ransomware in their attacks. The charges against them include: wire fraud; conspiracy to commit wire fraud; conspiracy to commit computer fraud and abuse; intentional damage to protected computers; extortion involving damage to protected computers; threats to compromise the confidentiality of stolen data; unauthorized access to and retrieval of information from protected computers.
Recall that the US authorities had previously brought similar charges against Yevgeny Ptitsyn, another Russian citizen who was extradited to the US from South Korea late last year. He is believed to have played an administrative role in Phobos operations.
Europol representatives have also now released their own statement, announcing the seizure of 27 servers associated with the 8Base group, which allegedly led to the cessation of its activities.
In addition, Europol reported that one of Phobos' key partners was arrested in Italy back in 2023, which allowed investigators to infiltrate the group and obtain operational information. Ultimately, this helped protect hundreds of targets and prevent more than 400 extortion attacks around the world that were being prepared or had already begun.
As VMware analysts reported at the time, 8Base is a rebranding of the well-known RansomHouse ransomware group, which claimed responsibility for hacking ADATA and AMD . In fact, the main difference between these ransomware was that RansomHouse openly recruited new partners, while 8Base did not.
It was also noted that, from a technical point of view, the 8Base malware was a custom version of the Phobos 2.9.1 malware, which was loaded via SmokeLoader. Phobos is a Windows-oriented RaaS malware that first appeared in 2019, and its code is similar to another well-known ransomware, Dharma.
| "Whether 8Base is a fork of Phobos or RansomHouse remains to be seen. Interestingly, 8Base is nearly identical to RansomHouse, but uses the Phobos ransomware," VMware wrote in 2023. |