8Base

8Base is a ransomware operation and related ransomware strain commonly referred to as 8Base. The content describes it as a Ransomware-as-a-Service/spinoff operation linked to Phobos, with multiple sources stating that 8Base used a variant of Phobos or launched on leaked Phobos code. It emerged in 2022 and gained prominence in 2023, ramping up activity in the summer of 2023. The group primarily targeted small and medium-sized organizations worldwide and conducted double-extortion campaigns, stealing data and threatening publication on its data leak site. Reported victims and claimed targets mentioned in the content include public-sector entities, manufacturing and healthcare organizations, the United Nations Development Programme, the Atlantic States Marine Fisheries Commission, a Canadian agency administering dental benefit plans for disabled people in Alberta, and Volkswagen Group.

Technically, the ransomware is described as encrypting files with AES-256 in CBC mode and protecting per-drive or per-share AES keys with RSA. For files larger than 1.5 MB, it encrypts three 256 KB chunks at the beginning, middle, and end of the file. It appends the .8base extension to encrypted files, adds encrypted metadata and a plaintext footer, deletes Volume Shadow Copies, and disables recovery mode to hinder restoration. The content notes that encryption keys are zeroed from memory immediately after use, complicating key recovery. Initial access is reported to occur via phishing emails or initial access brokers.

The operation maintained a dark-web data leak site and used channels including Twitter and Telegram. One cited indicator is IP address 92.118.36.204, reported as hosting the 8Base data leak site. The group was repeatedly assessed as linked to Phobos, and law-enforcement reporting tied PHOBOS/8Base operators to more than 1,000 victims worldwide and over $16 million in ransom proceeds since 2019. Europol's Operation Aether targeted 8Base; reporting in the content states that infrastructure was disrupted, more than 100 servers tied to the broader scheme were taken down, arrests were made including in Thailand, and Bavarian police seized infrastructure hosting the 8Base leak site. Several sources state the group ceased or largely ceased operations following law-enforcement action in February 2025. The content also notes that authorities released free decryptors for Phobos and 8Base victims, including guidance published by Japan's National Police Agency.