8Base

8Base is a ransomware operation and related ransomware strain widely described as a Phobos-linked or Phobos-derived variant. The content indicates the group emerged in 2022 and gained prominence in 2023, including reports that it launched on leaked Phobos code and used a variant of Phobos. It operated as a double-extortion ransomware threat, encrypting victim files and threatening to leak stolen data via a dark-web leak site if payment was not made. Reporting in the content says 8Base primarily targeted small and medium-sized organizations worldwide, though it was also observed affecting public sector, manufacturing, healthcare, and other industries, and was among the more frequently observed ransomware groups in Japan and in some public-sector reporting.

Technical behavior directly described in the content includes AES-256-CBC file encryption with RSA-wrapped per-drive or per-share AES keys, appending the .8base extension to encrypted files, chunked encryption of large files (three 256 KB chunks for files larger than 1.5 MB), deletion of Volume Shadow Copies, disabling recovery mode, and adding encrypted metadata plus a plaintext footer to encrypted files. The content also states encryption keys are zeroed from memory immediately after use, complicating key recovery. Initial access was reported as commonly obtained through phishing emails or initial access brokers. The group used a data leak site and also referenced Twitter and Telegram channels.

The content repeatedly links 8Base to Phobos investigations and law-enforcement activity. Europol's Operation Aether targeted 8Base, which authorities believed was linked to Phobos. Multiple reports state U.S. prosecutors said operators of Phobos and the related 8Base strain collected more than $16 million from victims worldwide since 2019, and that Phobos/8Base activity affected more than 1,000 organizations globally. Law-enforcement actions in 2024-2025 included infrastructure seizures, arrests in Thailand, indictments tied to the PHOBOS/8Base operation, and a major disruption in February 2025, after which several sources in the content describe 8Base as dormant, ceased, or a diminishing threat. Authorities in Japan released free decryptors for Phobos and 8Base victims.

Victim references in the content include claims involving the United Nations Development Programme, Volkswagen Group, the Atlantic States Marine Fisheries Commission, and a Canadian agency administering dental benefit plans for disabled people in Alberta. The content also notes 8Base was one of the most common ransomware variants affecting the public sector in ENISA reporting. High-confidence indicators and identifiers mentioned in the content include the .8base file extension and the existence of free decryptors for Phobos/8Base victims.