All About That 8Base Ransomware Group: The Details

May 9, 2024

First Publishied Nov 6th 2023

Updated May 9th 2024

Last seen on this month, 8Base is a ransomware collective that initiated its operations in April 2022. Despite its relatively short time in the cyber landscape, the group has swiftly garnered a reputation for its forceful strategies and the substantial volume of victims it has affected. Its primary focus centers on small and medium-sized businesses (SMBs) across diverse sectors such as business services, retail, finance, manufacturing, and information technology.

Nevertheless, drawing insights from its leak site, public profiles, and communication patterns, researchers have discerned a distinct linguistic resemblance between the group and RansomHouse. The latter is known for procuring pre-compromised data or collaborating with data leak platforms to coerce victims. As a result, there’s speculation that 8Base might potentially be an offshoot or derivative of the RansomHouse entity.

The group’s swift ascent in activity, coupled with the considerable count of victims they’ve targeted, has positioned them as a notable force within the realm of ransomware. Their heightened level of engagement has been especially prominent in recent months, marked by a substantial surge in their operations. This surge has propelled them into the ranks of top-performing ransomware groups, underscoring the magnitude of the menace they represent.

Victimology of 8Base Ransomware

When looking at the companies attacked by the group, most of them are companies that operate under the Professional Services industry such as Accounting, Law and Legal Services, Business Services etc. Apart from Professional Services, companies operating in the fields of Retail, Manufacturing, Construction, Finance and Insurance, and Healthcare industries also seem to be affected to a great extent.

According to the group’s attacks, they mostly targeted companies based in the United States (120 attacks to date), German (4 attacks to date) Brazil (14 attacks to date) and the United Kingdom (13 attacks to date).

Some of recent victims attacked by 8BASE:

Calumet Civil Contractors
Mikrona Technologies
The Line Up
Lumina Americas
The Tech Museum
Speedy France
Bieler+Lang

A Recent Diversity in Geographies

Over the past month 8Base has hit France, Italy, Germany, Argentina, Switzerland and Australia, in addition to their usual target of the USA. Could this be indicative of a diversification of geographic targets? Cyberint will be monitoring the situation closely.

8Base Malware, Tools & TTPs

8Base has gained recognition for its utilization of double-extortion strategies. This approach involves leveraging the threat of disclosing encrypted files unless the ransom is met, with the intent of causing embarrassment to the victim by revealing sensitive or confidential data that could adversely impact their image or standing. The adoption of the “double-extortion” technique has grown progressively prevalent among ransomware groups, as it introduces an extra dimension of coercion to compel victims into ransom payment.

The propagation of the 8Base ransomware is believed to occur through:

Phishing emails
Exploit kits

Within its arsenal of ransomware strains, 8Base employs several variants, with one being identified as Phobos. The group has tailored Phobos to its purposes by affixing ‘.8base’ to the encrypted files. Notably, while the appended segment remains consistent with Phobos, encompassing an ID section, an email address, and the file extension, the entire format remains unchanged.

8Base Origins & Affiliates

The origins of 8Base remain elusive.

8Base Community

8Base has different channels they communicate from. From their DLS site (onion), they navigate their users to follow their Twitter page, and Telegram official group.