Platform
Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
Our AI
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Services
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
Solutions
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Company
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Resources
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Partners
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
8Base ransomware recovery team on standby
Do NOT attempt to negotiate with ransomware attackers or restore systems without expert guidance—this can worsen the breach and risk permanent data loss. Instead, engage UnderDefense’s Incident Response team to swiftly contain the 8Base attack and protect your organization’s critical assets.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a 8Base attack can make a huge difference and help you make a full recovery. Request 24/7 8Base ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Watch out for the key 8Base ransomware IOCs: .8base file extension on encrypted files, ransom notes (info.txt and info.hta), disabled Windows Defender and firewalls, deleted shadow copies, suspicious batch files like defoff.bat, and tools like RClone, PsExec, Mimikatz, or SmokeLoader running in your environment.
Uses AES-256 in CBC mode with RSA-1024 encryption, leveraging the Phobos ransomware variant 2.9.1 with SmokeLoader for obfuscation and rapid file encryption.
Steals sensitive data before encryption and threatens to expose it on their leak site, positioning themselves as "penetration testers" while extorting victims.
Primarily targets small- to medium-sized businesses across manufacturing, finance, professional services, and healthcare sectors, exploiting limited security resources.
Gains initial access through phishing emails and exploit kits, then uses credential theft tools like Mimikatz, LaZagne, and WebBrowserPassView to move laterally.
The ransom notes (info.txt and info.hta) will direct you to contact the attackers via email addresses embedded in the encrypted file extensions and provide instructions for negotiation.
Following the February 2025 Operation PHOBOS AETOR, Japanese authorities released a free decryption tool for Phobos and 8Base ransomware variants. The tool supports files with extensions including .8base, .phobos, .elbie, .faust, and .LIZARD. However, decryption success depends on the specific variant and encryption method used in your attack. The good news — UnderDefense’s incident response team is on standby to contain the attack, eliminate the malware, prevent reinfection, and restore your systems using verified, uncompromised backups so you can safely resume operations.
Important note: IOCs often change because 8Base constantly updates its tools and affiliates operate with varying configurations. This list includes recurring, widely confirmed indicators based on HC3, Trend Micro, SentinelOne, Europol, FBI, and IR case data.
File extensions
The original .8base extension is the most common. Other variants include:
id[{Volume Serial Number}-{Generated ID}].[[email protected]].8base
.eight
.phobos (when using Phobos variant)
.elbie
.faust
.LIZARD
*The exact extension format varies by affiliate and campaign.
Ransom note filenames
The primary ransom notes dropped by 8Base include:
info.txt
info.hta
These notes are placed in affected folders and on the desktop. The .hta file is automatically executed using mshta.exe to display the ransom demand immediately after encryption.
8Base hashes
These are SHA256 hashes associated with known 8Base ransomware payloads and related tools:
(Sample hashes from Phobos 2.9.1 variant used by 8Base)
Specific hashes vary by campaign and affiliate deployment
KILLAV (defoff.bat) variants used to disable Windows Defender:
Multiple hash variants detected across campaigns
*Hash values change frequently as affiliates modify payloads.
8Base tools
For EDR disabling:
defoff.bat (KILLAV)
PCHunter
GMER
Process Hacker
For credential dumping:
Mimikatz
LaZagne
WebBrowserPassView
VNCPassView
PasswordFox
ProcDump
For initial access and delivery:
SmokeLoader
SystemBC (proxy and RAT)
Phishing emails with malicious attachments
For data exfiltration:
RClone
Third-party web services
For lateral movement:
PsExec
WMI commands
Legitimate admin tools
Most common red flag
8Base almost always runs these commands:
vssadmin.exe Delete Shadows /all /quiet
wmic shadowcopy delete
Additionally, watch for:
netsh advfirewall set currentprofile state off
bcdedit /set {default} bootstatuspolicy ignoreallfailures
*If you detect these commands executing, data encryption is moments away.
Attack vector | % of 8Base incidents | Notes |
Phishing emails | 45–50% | Primary initial access method with malicious attachments |
SmokeLoader delivery | 20–25% | Used for obfuscation, unpacking, and payload loading |
SystemBC compromise | 15–20% | Proxy and RAT tool associated with 8Base domains |
Initial Access Brokers (IABs) | 10–15% | Purchased access to pre-compromised networks |
Exploited vulnerabilities | 5–10% | Targeting unpatched systems and weak RDP |
8Base positions itself as “penetration testers” but operates as a financially motivated double-extortion gang. Despite their claims, they’re cybercriminals who profit from victims.
Most 8Base attacks target small and medium businesses that lack robust security infrastructure. The gang uses a name-and-shame tactic on their leak site, claiming to target organizations that “neglected the privacy and importance of data.” In reality, they’re opportunistic attackers seeking easy targets.
In February 2025, Operation PHOBOS AETOR resulted in the arrest of four individuals leading the 8Base ransomware group and the seizure of their dark web negotiation and data leak sites. This international law enforcement action involved authorities from Belgium, USA, UK, Spain, Thailand, Singapore, Romania, and others. However, affiliate operations may continue despite the disruption.
8Base uses the Phobos ransomware version 2.9.1 as their encryption tool. Decryptors may work for some variants, but success is not guaranteed. Data recovery failures are common when backups were destroyed or encrypted during the attack.
Note: Attempting to remove 8Base ransomware and self-remedy may lead to greater data loss.
To remove 8Base ransomware, immediately engage 8Base ransomware removal experts to guide your response and ensure no critical steps are missed. Then, begin by isolating all affected systems: disconnect compromised machines from the network (disable Wi-Fi, unplug Ethernet cables, and block their IPs at the firewall).
Next, perform a comprehensive forensic analysis to uncover the depth of the breach. Use endpoint detection and response (EDR) tools to trace the attacker’s path. Collect and review file-hash indicators of compromise (IOCs), registry changes, deleted Volume Shadow Copies, and any tampering with event logs. Check for persistence mechanisms in startup folders and registry run keys. After mapping the intrusion, reimage all infected devices using clean, verified system images.
Finally, rely on 8Base ransomware removal and recovery experts to validate the cleanup, conducting rootkit scans, reviewing system configurations, rotating compromised credentials, and reinforcing your security posture. Their specialized knowledge ensures thorough removal and helps prevent future incidents through strategic hardening and lessons learned.
To recover from 8Base ransomware, follow these essential steps:
Immediately isolate affected machines to stop any further malicious activity, then only reintroduce them into production once you’ve verified clean restorations and confirmed there’s no lingering malware or backdoors.
Recover your data exclusively from offline, write-protected backups, and validate their integrity by checking checksums and performing test restores in a controlled environment before full deployment.
Perform a thorough post-incident review to map the attack chain and identify root causes, then harden or rotate all credentials (especially admin/service accounts and any credentials stolen via Mimikatz or LaZagne) to eliminate any leftover access points.
Bring in external IR specialists to audit your environment, ensure complete ransomware eradication, remove any persistence mechanisms, and help update your incident-response and business-continuity plans.
8Base ransom demands vary significantly based on the size of the victim organization and the amount of data stolen. Unlike some ransomware groups, 8Base primarily targets small and medium businesses, which affects their pricing strategy. Ransoms are typically demanded in Bitcoin or other cryptocurrencies.
Because 8Base conducts double-extortion attacks, victims face two simultaneous financial threats:
The ransom payment itself
The cost of leaked, stolen, or destroyed data and reputational damage
Organizations should never attempt ransom negotiation alone — 8Base operators are financially motivated despite their “penetration tester” branding, and they will publish stolen data on their leak site if negotiations stall or fail.
Average ransom demands:
Small business: $50,000 – $200,000
Medium business: $200,000 – $800,000
Large enterprise: $1,000,000+
*Note: Following Operation PHOBOS AETOR in February 2025, the 8Base infrastructure was disrupted and key operators arrested. However, affiliate operations may continue under different branding or through remaining network members.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help Now
8Base is a highly active Ransomware-as-a-Service (RaaS) operation that emerged in March 2022 and surged to prominence in mid-2023. The group deploys Phobos ransomware variants to breach networks, steal sensitive data, and rapidly encrypt systems using AES-256 and RSA-1024 encryption. 8Base combines file encryption with double-extortion tactics, threatening to publish stolen data on their dark-web leak site to pressure victims into paying ransoms ranging from $50,000 to several million dollars.
The 8Base ransomware group operates as a decentralized RaaS collective run by Russian-speaking actors. In February 2025, a coordinated international law enforcement operation led to the arrest of four Russian nationals—two men and two women—who were the suspected leaders of 8Base. They were apprehended in Phuket, Thailand, as part of Operation Phobos Aetor, which also resulted in the seizure of the group’s dark-web leak and negotiation sites.
8Base ransomware typically infiltrates through compromised SSL VPNs, vulnerable RDP endpoints, or phishing campaigns. Once inside, attackers leverage Initial Access Brokers (IABs) to establish persistence, steal credentials, and map the network. They exfiltrate sensitive data using tools like Rclone or WinSCP, disable security defenses and shadow copies, then rapidly encrypt files with AES-256 and RSA-1024 encryption, appending custom extensions. Finally, ransom notes are dropped across the system, and stolen data is threatened for publication on 8Base’s leak site.
8Base’s encryption phase is alarmingly fast—small networks can be fully encrypted in under an hour, while larger environments may be locked down within hours. However, the attack typically begins days or weeks earlier: attackers spend 5–21+ days inside the network undetected, quietly stealing data, disabling backups and EDR tools, and preparing for rapid, simultaneous encryption across all systems to maximize impact and pressure victims.
There is no official public list of 8Base victims, but confirmed cases were historically published on 8Base’s dark-web leak site before it was seized by law enforcement in February 2025. Security teams typically monitor threat intelligence feeds, DFIR reports, and cybersecurity platforms that track ransomware disclosures to stay updated on newly named victims and emerging attack patterns associated with 8Base and similar groups.
You can remove the 8Base malware itself, but that does nothing to decrypt files or stop the attack. Because there is no public decryptor for 8Base and the threat actors often leave backdoors behind, proper recovery requires professional incident response, full environment cleanup, credential rotation, and restoration from uncompromised backups. Simply deleting the ransomware executable leaves your data encrypted and your network vulnerable to reinfection.
8Base attackers typically infiltrate your network days or weeks before encryption, quietly stealing data, disabling backups and EDR tools, and spreading laterally through key servers. When the ransomware detonates, files across Windows and potentially Linux systems are rapidly encrypted with custom extensions, shadow copies are wiped, and ransom notes appear in every directory. Soon after, stolen data is threatened or published on the gang’s dark-web leak site to pressure victims into paying.
Ransomware is best prevented through layered security: patching critical vulnerabilities within 48 hours, enforcing phishing-resistant MFA on all accounts including VPN and RDP, deploying EDR + SIEM with 24/7 monitoring, segmenting networks to limit lateral movement, hardening identity and admin access, securing email gateways, and protecting backups with immutability and MFA-controlled access so attackers cannot tamper with them. Employee training and continuous threat-hunting further reduce risk.
Here’s a ransomware prevention checklist that will help your organization to block, detect, and contain attacks:
Patch critical vulnerabilities within 48 hours
Use MFA for all accounts, especially VPN and RDP
Deploy EDR on all endpoints
Centralize logs into your SIEM
24/7 monitoring for lateral movement
Disable unused RDP and enforce VPN access controls
Apply network segmentation and restrict admin privileges
Harden backup servers and enforce immutability
Run phishing simulations and security awareness training
Perform regular IR tabletop exercises
