Shining a Light

Law enforcement arrests criminals behind ransomware extortions

A coordinated international law enforcement action in early February has led to the arrest of four individuals leading the 8Base ransomware group. These individuals, all Russian nationals, are suspected of deploying a variant of Phobos ransomware to extort high-value payments from victims across Europe and beyond. At the same time, 27 servers linked to the criminal network were taken down.

This follows a series of high-impact arrests targeting Phobos ransomware:

  • An administrator of Phobos was arrested in South Korea in June 2024 and extradited to the United States in November of the same year. He is now facing prosecution for orchestrating ransomware attacks that encrypted critical infrastructure, business systems, and personal data for ransom.
  • A key Phobos affiliate was arrested in Italy in 2023 on a French arrest warrant, further weakening the network behind this ransomware strain.

As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks.

This complex international operation, supported by Europol and Eurojust, involved law enforcement agencies from 14 countries. While some countries focused on the investigation into Phobos, others targeted 8Base, with several participating in both.

Europol played a critical role in bringing together intelligence from these separate investigations, enabling authorities to take down key actors from both ransomware networks in a coordinated effort.

Phobos: Discreet but highly effective ransomware

First detected in December 2018, Phobos ransomware has been a long-standing cybercrime tool, frequently used in large-scale attacks against businesses and organizations worldwide. 

Unlike high-profile ransomware groups that target major corporations, Phobos relies on high-volume attacks against small to medium-sized businesses, which often lack the cybersecurity defenses to protect themselves.

Its Ransomware-as-a-Service (RaaS) model has made it particularly accessible to a range of criminal actors, from individual affiliates to structured criminal groups such as 8Base. The adaptability of this framework has allowed attackers to customize their ransomware campaigns with minimal technical expertise, further fueling its widespread use.

Taking advantage of Phobos’s infrastructure, 8Base developed its own variant of the ransomware, using its encryption and delivery mechanisms to tailor attacks for maximum impact. This group has been particularly aggressive in its double extortion tactics, not only encrypting victims’ data but also threatening to publish stolen information unless a ransom was paid.

Photo credit: iStock/ PRImageFactory

Key Issues

Maritime News

Related Topics

More Stories

Interviews

Editorial

The best maritime news and insights delivered right to your inbox bi-weekly.

Here's what you can expect from our newsletters:

  • Key insights covering the maritime industry
  • Expert analysis and opinions
  • Exclusive discounts on events
Subscribe to Maritime Fairtrade

*Maritime Fairtrade newsletter is 100% free, and you can always unsubscribe with one click.

Facebook Twitter Youtube Instagram Linkedin

© Maritime Fairtrade 2024

The best maritime news and insights delivered to you.

subscribe maritime fairtrade

Here's what you can expect from us:

  • Event offers and discounts
  • News & key insights of the maritime industry
  • Expert analysis and opinions on corruption and more