Skip to content
Ransomware group

8Base

8Base is a ransomware operation and related ransomware strain commonly referred to as 8Base.

Profile source: Mallory opens in a new tab

8Base

Family profile

8Base is a ransomware operation and related ransomware strain commonly referred to as 8Base. The content describes it as a Ransomware-as-a-Service/spinoff operation linked to Phobos, with multiple sources stating that 8Base used a variant of Phobos or launched on leaked Phobos code. It emerged in 2022 and gained prominence in 2023, ramping up activity in the summer of 2023. The group primarily targeted small and medium-sized organizations worldwide and conducted double-extortion campaigns, stealing data and threatening publication on its data leak site. Reported victims and claimed targets mentioned in the content include public-sector entities, manufacturing and healthcare organizations, the United Nations Development Programme, the Atlantic States Marine Fisheries Commission, a Canadian agency administering dental benefit plans for disabled people in Alberta, and Volkswagen Group.

Technically, the ransomware is described as encrypting files with AES-256 in CBC mode and protecting per-drive or per-share AES keys with RSA. For files larger than 1.5 MB, it encrypts three 256 KB chunks at the beginning, middle, and end of the file. It appends the .8base extension to encrypted files, adds encrypted metadata and a plaintext footer, deletes Volume Shadow Copies, and disables recovery mode to hinder restoration. The content notes that encryption keys are zeroed from memory immediately after use, complicating key recovery. Initial access is reported to occur via phishing emails or initial access brokers.

The operation maintained a dark-web data leak site and used channels including Twitter and Telegram. One cited indicator is IP address 92.118.36.204, reported as hosting the 8Base data leak site. The group was repeatedly assessed as linked to Phobos, and law-enforcement reporting tied PHOBOS/8Base operators to more than 1,000 victims worldwide and over $16 million in ransom proceeds since 2019. Europol's Operation Aether targeted 8Base; reporting in the content states that infrastructure was disrupted, more than 100 servers tied to the broader scheme were taken down, arrests were made including in Thailand, and Bavarian police seized infrastructure hosting the 8Base leak site. Several sources state the group ceased or largely ceased operations following law-enforcement action in February 2025. The content also notes that authorities released free decryptors for Phobos and 8Base victims, including guidance published by Japan's National Police Agency.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • LaZagne
  • Mimikatz
  • NirSoft VNCPassView
  • NirSoft WebBrowserPassView
  • PasswordFox
  • ProcDump

Defense Evasion

  • GMER
  • PCHunter
  • ProcessHacker

Exfiltration

  • RClone

LOLBAS

  • PsExec

Reported operators

Threat actors

2 named in public reporting
ShadowSyndicate

It appears this IP address is hosting the 8Base Ransomware group’s Data Leak Site.

RansomHouse

The 8base ransomware group was unveiled in May 2023... 8base primarily targets small and medium-sized companies worldwide in double extortion campaigns.

MITRE ATT&CK

8Base in ATT&CK

28 distinct techniques

Reporting

Research mentioning 8Base

Feb 19
The Hacker News

ThreatsDay Bulletin: OpenSSL RCE, Foxit 0-Days, Copilot Leak, AI Password Flaws & 20+ Stories

Operation Aether, which targets the 8Base ransomware group, believed to be linked to Phobos.

Feb 17
The Record Media

Polish police detain alleged cybercriminal with Phobos ransomware ties | The Record from Recorded Future News

U.S. prosecutors previously said operators of Phobos and a related strain called 8Base collected upwards of $16 million from victims worldwide dating back to 2019. The spinoff operation named 8Base ramped up its activity in the summer of 2023...

Feb 17
Register Security

Polish cops arrest 47-year-old man in Phobos ransomware raid • The Register

Europol's ongoing Operation Aether... targets the 8Base ransomware group, believed to be linked to Phobos... the 8Base crew, which was first assembled in 2022.

Dec 25
Sentinelone

The Best, the Worst and the Ugliest in Cybersecurity | 2025 Edition

...while releasing decryptors for Phobos and 8Base victims to provide tangible relief.

Nov 13
Checkpoint Research

The State of Ransomware - Q3 2025 - Check Point Research

This fragmentation follows the closure or dormancy of several major RaaS brands during the year, including RansomHub, 8Base, BianLian, Cactus, and others.

Nov 7
Scworld

Most public sector-aimed cyberattacks tied to hacktivist-led DDoS

The report also found that RansomHub, LockBit 3.0, and 8Base were the most common ransomware variants affecting the industry.

Aug 19
Talos Intelligence

Ransomware incidents in Japan during the first half of 2025

LockBit and 8base, which were among the most frequently observed ransomware groups in Japan during the first half of FY2024, ceased their activities following takedown operations by law enforcement in February 2024 and February 2025 respectively, as publicly announced in press releases. As a result, neither group has been observed in 2025.

Aug 4
Halcyon Attacks News

Power Rankings: Ransomware Malicious Quartile Q2-2025

The 8Base ransomware group—originally emerging in March 2022 as a Ransomware-as-a-Service (RaaS) operation—is now considered a diminishing threat following a major law enforcement disruption in early 2025.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.