Credential Theft
- LaZagne
- Mimikatz
- NirSoft VNCPassView
- NirSoft WebBrowserPassView
- PasswordFox
- ProcDump
8Base is a ransomware operation and related ransomware strain commonly referred to as 8Base.
Profile source: Mallory opens in a new tab8Base
8Base is a ransomware operation and related ransomware strain commonly referred to as 8Base. The content describes it as a Ransomware-as-a-Service/spinoff operation linked to Phobos, with multiple sources stating that 8Base used a variant of Phobos or launched on leaked Phobos code. It emerged in 2022 and gained prominence in 2023, ramping up activity in the summer of 2023. The group primarily targeted small and medium-sized organizations worldwide and conducted double-extortion campaigns, stealing data and threatening publication on its data leak site. Reported victims and claimed targets mentioned in the content include public-sector entities, manufacturing and healthcare organizations, the United Nations Development Programme, the Atlantic States Marine Fisheries Commission, a Canadian agency administering dental benefit plans for disabled people in Alberta, and Volkswagen Group.
Technically, the ransomware is described as encrypting files with AES-256 in CBC mode and protecting per-drive or per-share AES keys with RSA. For files larger than 1.5 MB, it encrypts three 256 KB chunks at the beginning, middle, and end of the file. It appends the .8base extension to encrypted files, adds encrypted metadata and a plaintext footer, deletes Volume Shadow Copies, and disables recovery mode to hinder restoration. The content notes that encryption keys are zeroed from memory immediately after use, complicating key recovery. Initial access is reported to occur via phishing emails or initial access brokers.
The operation maintained a dark-web data leak site and used channels including Twitter and Telegram. One cited indicator is IP address 92.118.36.204, reported as hosting the 8Base data leak site. The group was repeatedly assessed as linked to Phobos, and law-enforcement reporting tied PHOBOS/8Base operators to more than 1,000 victims worldwide and over $16 million in ransom proceeds since 2019. Europol's Operation Aether targeted 8Base; reporting in the content states that infrastructure was disrupted, more than 100 servers tied to the broader scheme were taken down, arrests were made including in Thailand, and Bavarian police seized infrastructure hosting the 8Base leak site. Several sources state the group ceased or largely ceased operations following law-enforcement action in February 2025. The content also notes that authorities released free decryptors for Phobos and 8Base victims, including guidance published by Japan's National Police Agency.
Ransomware.live
Reported operators
It appears this IP address is hosting the 8Base Ransomware group’s Data Leak Site.
The 8base ransomware group was unveiled in May 2023... 8base primarily targets small and medium-sized companies worldwide in double extortion campaigns.
MITRE ATT&CK
Reporting
Operation Aether, which targets the 8Base ransomware group, believed to be linked to Phobos.
U.S. prosecutors previously said operators of Phobos and a related strain called 8Base collected upwards of $16 million from victims worldwide dating back to 2019. The spinoff operation named 8Base ramped up its activity in the summer of 2023...
Europol's ongoing Operation Aether... targets the 8Base ransomware group, believed to be linked to Phobos... the 8Base crew, which was first assembled in 2022.
...while releasing decryptors for Phobos and 8Base victims to provide tangible relief.
This fragmentation follows the closure or dormancy of several major RaaS brands during the year, including RansomHub, 8Base, BianLian, Cactus, and others.
The report also found that RansomHub, LockBit 3.0, and 8Base were the most common ransomware variants affecting the industry.
LockBit and 8base, which were among the most frequently observed ransomware groups in Japan during the first half of FY2024, ceased their activities following takedown operations by law enforcement in February 2024 and February 2025 respectively, as publicly announced in press releases. As a result, neither group has been observed in 2025.
The 8Base ransomware group—originally emerging in March 2022 as a Ransomware-as-a-Service (RaaS) operation—is now considered a diminishing threat following a major law enforcement disruption in early 2025.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.