4 Phobos Ransomware-Linked Russians Arrested in Europol and Eurojust Crackdown

• A law enforcement operation led to the arrest of four Russian nationals suspected of deploying Phobos ransomware.
• The crackdown disabled almost 30 servers utilized by the individuals in their cybercriminal endeavors.
• Moreover, 400 organizations around the world were warned about imminent ransomware threats.

Four Russian nationals leading the 8Base cybercriminal group suspected of deploying a variant of Phobos ransomware were arrested in a Europol-led law enforcement operation, resulting in the takedown of 27 servers tied to their criminal activities. 

As part of the crackdown, law enforcement warned over 400 organizations worldwide about imminent ransomware threats.

Law enforcement agencies from 14 countries participated in this complex international operation led by Europol and Eurojust, with some countries focusing on the investigation into Phobos, others targeting 8Base, and several participating in both.

On Monday, the U.S. Department of Justice (DOJ) announced criminal charges against Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, Russian nationals accused of running a cybercriminal group using Phobos ransomware as part of the same operation.

From May 2019 to October 2024, Berezhnoy and Glebov targeted hospitals, schools, and healthcare providers. Using Phobos ransomware, they stole data, encrypted files, and demanded ransom for decryption keys. Operating under aliases like "8Base" and "Affiliate 2803," their dual extortion scheme made Phobos a major threat to public and private sectors.

Berezhnoy and Glebov face an 11-count indictment, including wire fraud conspiracy, wire fraud conspiracy to commit computer fraud, intentional damage to protected computers, extortion related to protected computers, transmitting threats to harm data confidentiality, and unauthorized access to protected computers.

The arrests of 8Base leaders follow previous actions against Phobos ransomware. In 2023, an affiliate in Italy was arrested on a French warrant, and in 2024, a Phobos administrator was apprehended in South Korea and extradited to the U.S. for prosecution.  

8Base specialized in double-extortion and encrypting data and targeted small and medium-sized businesses, often vulnerable due to limited cybersecurity defenses.First detected in December 2018, Phobos ransomware enables a range of criminal actors through its Ransomware-as-a-Service (RaaS) model. The group reportedly extorted over $16 million from more than 1,000 public and private organizations worldwide, including U.S. victims.