An international law-enforcement collaboration has taken down two Russian nationals and two unidentified women in Thailand who ran Phobos ransomware affiliate platforms.
Law enforcement agencies from 14 countries collaborated in an investigation against the related Phobos and 8Base ransomware operations, arresting four suspects and seizing 27 servers, including the data leak and ransom negotiation websites.
On Tuesday, the US Department of Justice also announced indictments against two Russian nationals who operated the “8Base” and “Affiliate 2803” affiliate platforms that deployed a variant of the Phobos ransomware.
The suspects, identified as Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, were reportedly arrested Monday in Phuket, Thailand, along with two women who haven’t been named yet. The arrests were executed based on Interpol warrants issued at the request of Swiss and US authorities.
According to Europol, the law enforcement investigation started in 2019, with some law enforcement agencies being focused on Phobos and some on 8Base. As a result, more than 400 companies were warned about imminent ransomware attacks.
These are not the first arrests in connection with Phobos. An affiliate was arrested in Italy in 2023, and an administrator was arrested in South Korea in 2024. That administrator, another Russian national named Evgenii Ptitsyn, 42, was extradited to the United States where he was indicted in November.
8Base is a Phobos spin-off
The Phobos ransomware appeared in October 2018 and is estimated to have impacted more than 1,000 public and private organizations from around the world, earning its creators and affiliates over $16 million.
8Base is a group that appeared in 2022 but became much more visible and active in 2023. The group branded themselves as “pen testers” and adopted a multi-extortion model like many other ransomware groups, which involved a data leak website hosted on the Tor network where victims were listed and threatened with data leaks.
“Phobos’ Ransomware-as-a-Service (RaaS) model has made it particularly accessible to a range of criminal actors, from individual affiliates to structured criminal groups such as 8Base,” Europol said. “Taking advantage of Phobos’s infrastructure, 8Base developed its own variant of the ransomware, using its encryption and delivery mechanisms to tailor attacks for maximum impact.”
8Base hackers primarily used phishing emails for initial compromise then deployed the SystemBC remote access trojan for persistent access before deploying version 2.9.1 of the Phobos ransomware which uses SmokeLoader for payload deliver. Over time researchers observed similarities to RansomHub, another ransomware group.
8Base targeted organizations from around the world, but the US had the largest number of victims. The manufacturing, technology, education, and financial sectors were the most impacted.
“From May 2019, through at least October 2024, Berezhnoy, Glebov, and others allegedly caused victims to suffer losses resulting from the loss of access to their data in addition to the financial losses associated with the ransomware payments,” the DOJ said. “The victims included a children’s hospital, health care providers, and educational institutions.”
