8Base Ransomware Group On The Rise, Lists a Number of Victims

Vladimir Krasnogolovy
5 Min Read
8Base criminal gang

In June of this year, a new wave of cyber-attacks and extortion operations, organized by the criminal group 8Base, swept the world. Hackers use a double extortion method: they infect victims’ computers with a ransomware virus that blocks access to data, and then demand a ransom for their restoration. If the victim refuses to pay, the hackers threaten to publish the stolen information on their dark web leak site.

A new rising threat

The 8Base group appeared in March 2022, but until June 2023 carried out few and insignificant attacks. However, this summer their activity increased dramatically, and they began to attack many companies in various industries. So far, 8Base has reported 35 victims on its site, sometimes announcing up to six new victims in a single day. The hackers call themselves “honest and simple pentesters” and offer companies “the most loyal conditions” for the return of their data. Though, that’s not something particularly new – LockBit tries to hold the same image.

8Base activity chart

About 8Base Ransomware

According to VMWare researchers from the Carbon Black team, 8Base’s attack tactics indicate that they are a rebranded version of another well-known ransomware gang, quite possibly RansomHouse.

8base vs RansomHouse
Identical FAQ pages (RansomHouse on the left, 8Base on the right)

RansomHouse is a ransomware group that claims not to carry out encryption attacks, but only cooperates with other ransomware operations to sell their data. VMware suspects that 8Base is a fork of RansomHouse. Such conclusions were drawn due to the same ransom notes used by both groups, as well as the very similar style and content of the text on the respective data breach sites, where even the FAQ pages appear to be copied.

8base ransomware onionsite
Darknet Leak site of 8base ransomware group

However, there is no reliable confirmation of the connection between 8Base and RansomHouse. It is not uncommon for cybercriminal gangs to simply copy ransom notes, software, methods and tactics. It helps hackers to save time and effort, and is especially probable if they invite someone from another ransomware group.

Ransomware analysis

8Base attacks use a modified version of Phobos v2.9.1 ransomware, which is loaded via SmokeLoader. Phobos is a Windows-targeting ransomware that first hit cyberspace in 2019, and it also shares many similarities with another ransomware code, Dharma.

During the attack, the virus, launched by 8Base operators, adds the extension of the same name “.8base” to all encrypted files. Ransomware expert Michael Gillespie reported that the Phobos ransomware also used a similar “.eight” extension for encrypted files. In addition, both programs, Phobos and 8Base, use the same email address to contact the attackers – “helpermail@onionmail[.]org”, which also leads to some thoughts about the connection of these malicious operations.

Another notable finding by VMware analysts is that 8Base uses the “admlogs25[.]xyz” domain to host a payload that is associated with SystemBC, a malicious proxy software used by several ransomware groups to obfuscate C2 infrastructure. All of these findings by researchers show that 8Base operators have been carrying out encryption attacks for at least a year, but only recently gained attention after launching their data breach site and a surge in activity. 8Base is just beginning to get the attention of analysts, so many aspects of their technical nature remain unknown or unclear.

Given the nature of the beast that is 8Base, we can only speculate at this time that they are using several different types of ransomware – either as earlier variants or as part of their normal operating procedures. What we do know is that this group is highly active and targets smaller businesses.VMware experts in the report.

8Base Ransomware Group On The Rise, Lists a Number of Victims

TAGGED:
Share This Article
Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.
2 Comments

AI Assistant

Hello! 👋 How can I help you today?