8Base

8Base is a ransomware and double-extortion operation active since at least 2022 and publicly unveiled in May 2023. It rapidly became one of the more active ransomware groups, primarily targeting small and medium-sized organizations worldwide, with reporting specifically citing victims in the United States, Brazil, and the United Kingdom, and sectors including finance, manufacturing, healthcare, and industrials. Reported victims and claims include the UN Development Programme, the Atlantic States Marine Fisheries Commission, a Canadian agency administering dental benefit plans for disabled people in Alberta, and claims tied to Volkswagen. The group relied heavily on public victim disclosures as part of its coercion model, publishing victims on Tor-based leak sites and at times mirroring content via surface-web infrastructure. Its leak site messaging accused victims of irresponsible handling of personal data, encouraged affected individuals to seek compensation, and offered data to support lawsuits against victim organizations. Multiple sources in the content link 8Base to Phobos. It is described as a spinoff or related strain of Phobos, and law enforcement activity under Europol Operation Aether targeted 8Base as a group believed to be linked to Phobos. U.S. prosecutors said operators of Phobos and 8Base collected more than $16 million from victims worldwide since 2019. Reporting states 8Base primarily used a customized Phobos ransomware variant identified as version 2.9.1, appended the .8base extension to encrypted files, and used a leak site referred to as "Space Bears." Initial access and delivery methods mentioned in the content include phishing emails, initial access brokers, exposed RDP services, SmokeLoader, and infrastructure sold by KongTuke/TAG-124, which reportedly served 8Base alongside other ransomware operators. Additional tooling and behavior attributed in the content include use of SystemBC, disabling security tools such as Windows Defender, deleting backups, modifying registry entries and firewall rules, encrypting local and network drives, and using Telegram for negotiations. Infrastructure and ecosystem reporting indicates 8Base maintained rotating onion leak sites, an official Telegram channel created in May 2023, an X account, and a temporary surface-web presence at 92.118.36.204. One investigation recorded 459 victims between May 2023 and February 2025, with St. Nicholas School in Brazil listed as the final recorded victim on 1 February 2025. Malware and infrastructure analysis in the content found overlap between 8Base-linked hashes and hashes associated with ALPHV/BlackCat, BianLian, Knight, and Play, suggesting 8Base operated within a shared ransomware ecosystem rather than as a fully independent backend. 8Base was initially linked to RansomHouse due to ransom note similarities. Law enforcement disrupted the group in February 2025. The content states Bavarian/German authorities seized infrastructure hosting the 8Base leak site, four alleged leaders were arrested in Phuket, Thailand, and more than 400 companies were warned of impending attacks. Subsequent reporting describes the group as closed, dormant, fragmented, or significantly reduced after the takedown, though some analysis cautions that public silence does not definitively prove the underlying operation ended. Known aliases and related names directly mentioned in the content include 8base, 8Base, and its linkage to Phobos; associated or overlapping brands mentioned in analysis include Space Bears and possible historical similarity to RansomHouse.