Sky ECC encrypted service distributors arrested in Spain, Netherlands - Related to phobos, suspects,, ransomware, 8base, spain,

Cyberattack disrupts Lee newspapers' operations across the US

Lee Enterprises, one of the largest newspaper groups in the United States, says a cyberattack that hit its systems caused an outage last week and impacted its operations.

In a Friday filing with the [website] Securities and Exchange Commission (SEC), the organization mentioned the February 3 cyberattack was behind the outage that impacted its business operations.

"On February 3, 2025, the organization experienced a technology outage due to a cyber incident affecting certain business applications, resulting in an operational disruption," Lee Enterprises revealed.

"We are now focused on determining what information – if any – may have been affected by the situation," a Lee Enterprises spokesperson told BleepingComputer.

"We are working to complete this investigation as quickly and thoroughly as possible, but these types of investigations are complex and time-consuming, with many taking several weeks or longer to complete. We have notified law enforcement of the situation."

Lee Enterprises newsrooms have reported that the cyberattack forced the business to shut down many of its networks, disrupting the printing and delivery of dozens of newspapers.

BleepingComputer has also learned that the resulting outage has caused chaos across the newspaper group, with VPNs used to connect securely to the network not working and reporters and editors unable to access their files.

Since the attack, multiple Lee Enterprises publications have displayed banners at the top of their websites that read, "We are currently undergoing maintenance on some services, which may temporarily affect access to subscription accounts and the E-edition. We apologize for any inconvenience and appreciate your patience as we work to resolve the issues."

Wisconsin State Journal maintenance banner (BleepingComputer).

"We cannot speculate on details that remain under investigation, and we will not be able to share information that could compromise our investigation or any investigation by law enforcement," BleepingComputer was also told.

The local news provider publishes 77 daily newspapers and 350 weekly and specialty publications in 26 states. Its newspapers have a daily circulation of over [website] million, and digital editions reach more than 44 million unique visitors.

Its portfolio includes the Buffalo News in New York, the Richmond Times-Dispatch in Virginia, the Arizona Daily Star, the Omaha World-Herald in Nebraska, the Press of Atlantic City, the St. Louis Post-Dispatch in Missouri, the Casper Star-Tribune in Wyoming, and dozens of other media outlets.

Lee Enterprises was hit by another cyberattack five years ago, before the 2020 [website] presidential election, when Iranian hackers breached its network as part of a broader campaign to spread disinformation.

Threat actors have been observed targeting Internet Information Services (IIS) servers in Asia as part of a search engine optimization (SEO) manipulat......

Today, an Alabama man pleaded guilty to hijacking the [website] Securities and Exchange Commission (SEC) account on X in a January 2024 SIM swapping attack......

Apple has released emergency security updates to patch a zero-day vulnerability that the firm says was exploited in targeted and.

Police arrests 4 Phobos ransomware suspects, seizes 8Base sites

A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base’s dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide.

The arrested individuals, two men and two women, are Europeans who reportedly extorted $16,000,000 worth of Bitcoin from their victims over the years.

The police operation, codenamed "Phobos Aetor," led to coordinated raids across four locations, where laptops, smartphones, and cryptocurrency wallets were seized for forensic analysis.

The arrests were made at the request of the Swiss authorities, who have asked the Thai government to extradite the suspects.

, the four hackers are stated to have conducted ransomware attacks against at least 17 Swiss companies between April 2023 and October 2024.

During the attacks, the threat actors breached corporate networks to steal data and encrypt files. The threat actors then demanded payments in cryptocurrency to provide the decryption keys and prevent the public release of data.

The ransom payments were laundered on cryptocurrency mixing platforms, making it harder for law enforcement to track their final wallet.

Today, the dark web sites for the 8Base ransomware operation were also seized in what appears to be the same operation.

The 8Base ransomware gang's negotiation and data leak sites now show a seizure message stating, "THIS HIDDEN SITE HAS BEEN SEIZED. This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg."

The seizure message also indicates that "Operation Phobos Aetor" involved Thailand, Romania, Bavaria, Germany, Switzerland, Japan, USA, Europol, Czechia, Spain, France, Belgium, and the United Kingdom.

When asked about the legitimacy of the seizure message, Europol told BleepingComputer, "Europol is supporting an international operation against a ransomware group."

The United Kingdom National Crime Agency (NCA) also confirmed to BleepingComputer they played a supportive role on the operation.

BleepingComputer has confirmed that both the 8Base operation's data leak and negotiation sites were seized as part of the global law enforcement operation.

8Base is a ransomware group that launched in March 2022, staying relatively quiet until June 2023, when it suddenly began leaking data for many victims.

Describing themselves as simple "pentesters," the ransomware gang's activities and sophistication indicated that they were possibly a rebrand of another operation or comprised of experienced hackers.

VMware reported that the gang shares many similarities with RansomHouse, including the style of the ransom notes and the data leak site, but it has not been confirmed they are the same group.

Like other ransomware operations, 8Base would breach corporate networks and quietly spread laterally through devices while stealing corporate data. When they gained access to the domain controller, the threat actors would encrypt devices using the Phobos ransomware encryptor.

When encrypting files, the ransomware appends either the .8base or .eight extension to encrypted files.

During this process, ransom notes are created that demand a ransom payment ranging between hundreds of thousands of dollars to millions in return for a decryption key and the promise to delete and not publish stolen data.

In 2023, the United States Department of Health and Human Services warned that the 8Base operators were targeting organizations worldwide, including those in the healthcare sector.

"'s attacks, 8Base mostly targets SMB companies based in the United States, Brazil, and the United Kingdom. Other affected countries include Australia, Germany, Canada, and China, amongst others. Notably, no ex-Soviet or CIS countries have been targeted," explains the HHS bulletin.

"While no known correlation to Russia or other Russian-speaking RaaS groups or affiliates exists, this geographic exclusionary pattern is a hallmark for many Russian-speaking threat actors."

Some high-profile victims of the ransomware gang include Nidec Corporation, a Japanese tech giant with a revenue of $11 billion, and the United Nations Development Programme (UNDP).

Threat actors have been observed targeting Internet Information Services (IIS) servers in Asia as part of a search engine optimization (SEO) manipulat......

Apple has released emergency security updates to patch a zero-day vulnerability that the organization says was exploited in targeted and.

Threat actors have been observed leveraging Google Tag Manager (GTM) to deliver credit card skimmer malware targeting Magento-based e-commerce website......

Sky ECC encrypted service distributors arrested in Spain, Netherlands

Four distributors of the encrypted communications service Sky ECC, used extensively by criminals, were arrested in Spain and the Netherlands.

, the two suspects arrested in the country were the leading global distributors of the service, generating over €[website] million ($14M) in profits.

Investigation into the communications service, its sellers, and clients started back in 2019.

, the clients bought access to the service via a subscription-based scheme that cost €600 for three months.

In March 2021, Europol introduced that it had cracked Sky ECC's encryption, allowing investigators to monitor the communications of 70,000 people, revealing extensive criminal activity.

Although the service initially declined these reports and claimed cybercriminals didn't use its platform, there was a mountain of evidence proving both.

"The service [Sky ECC) was offered through mobile terminals that had the communication system inserted in order to facilitate secure communications and related to the commission of serious crimes –such as international drug trafficking, arms trafficking or money laundering, among others- with guarantees of privacy and security before possible police investigations," reads the Spanish police's research.

Today, the police in Spain presented the apprehension of two leading sellers of the Sky ECC service and the confiscation of money and key items.

The search and arrest operation took place in late January 2025 in Jávea (Alicante) and Ibiza.

During simultaneous police raids at seven locations, the authorities seized telephone terminals and electronic devices, €10,000 and $26,000 in cash, €1,400,000 worth of cryptocurrencies, two cars, and luxury items valued at over €50,000.

"With the progress of the investigation, the police agents verified that the two most significant distributors of the service worldwide resided in Spain," reads the announcement.

"These were in charge of the traffic of Sky devices, SIM cards, and Sky software, as well as the collection and sending of subscription fees."

The police in the Netherlands reported on January 31, 2025, that they arrested two men in Amsterdam and Arnhem. The two were high-ranking sellers of the service, reportedly having direct contact with the platform's CEO for years.

The Dutch suspects are believed to have handled roughly 25% of all Sky ECC subscriptions, generating €[website] million in profit.

As the investigations were led by the Netherlands' National Prosecutor's Office, the two men arrested in Spain are expected to be extradited to the Netherlands to face prosecution.

Zimbra has released software updates to address critical security flaws in its Collaboration software that, if successfully exploited, could result in......

Apple has released emergency security updates to patch a zero-day vulnerability that the business says was exploited in targeted and.

Admins, die die Asset-Managementsoftware Trimble Cityworks verwalten, müssen ihre Systeme durch die Installation eines Sicherheitsupdates vor laufende......