- Table of contents
All About That 8Base Ransomware Group: The Details
Last seen on November 2nd, 8Base is a ransomware collective that initiated its operations in April 2022. Despite its relatively short time in the cyber landscape, the group has swiftly garnered a reputation for its forceful strategies and the substantial volume of victims it has affected. Its primary focus centers on small and medium-sized businesses (SMBs) across diverse sectors such as business services, retail, finance, manufacturing, and information technology.
Nevertheless, drawing insights from its leak site, public profiles, and communication patterns, researchers have discerned a distinct linguistic resemblance between the group and RansomHouse. The latter is known for procuring pre-compromised data or collaborating with data leak platforms to coerce victims. As a result, there’s speculation that 8Base might potentially be an offshoot or derivative of the RansomHouse entity.
The group’s swift ascent in activity, coupled with the considerable count of victims they’ve targeted, has positioned them as a notable force within the realm of ransomware. Their heightened level of engagement has been especially prominent in recent months, marked by a substantial surge in their operations. This surge has propelled them into the ranks of top-performing ransomware groups, underscoring the magnitude of the menace they represent.
Victimology of 8Base Ransomware
When looking at the companies attacked by the group, most of them are companies that operate under the Professional Services industry such as Accounting, Law and Legal Services, Business Services etc. Apart from Professional Services, companies operating in the fields of Retail, Manufacturing, Construction, Finance and Insurance, and Healthcare industries also seem to be affected to a great extent.
According to the group’s attacks, they mostly targeted companies based in the United States (77 attacks to date), Brazil (14 attacks to date) and the United Kingdom (13 attacks to date).
Some of recent victims attacked by 8BASE:
- ToyotaLift Northeast
- ANS Group
- Aspect Structural Engineers
- Stockdale Podiatry Group
8Base Malware, Tools & TTPs
8Base has gained recognition for its utilization of double-extortion strategies. This approach involves leveraging the threat of disclosing encrypted files unless the ransom is met, with the intent of causing embarrassment to the victim by revealing sensitive or confidential data that could adversely impact their image or standing. The adoption of the “double-extortion” technique has grown progressively prevalent among ransomware groups, as it introduces an extra dimension of coercion to compel victims into ransom payment.
The propagation of the 8Base ransomware is believed to occur through:
- Phishing emails
- Exploit kits
Within its arsenal of ransomware strains, 8Base employs several variants, with one being identified as Phobos. The group has tailored Phobos to its purposes by affixing ‘.8base’ to the encrypted files. Notably, while the appended segment remains consistent with Phobos, encompassing an ID section, an email address, and the file extension, the entire format remains unchanged.
8Base Origins & Affiliates
The origins of 8Base remain elusive.
8Base has different channels they communicate from. From their DLS site (onion), they navigate their users to follow their Twitter page, and Telegram official group.
Learn About Cyberint Threat Intelligence
To learn more about how our threat intelligence research helps protect businesses against ransomware and other risks, request a demo.