The 8Base ransomware gang has emerged as a significant threat, targeting organizations globally with double-extortion attacks since the beginning of June. While the group initially operated quietly with few notable attacks since March 2022, their activity has surged in recent months. Various companies across different industries have been targeted, and the gang has employed double extortion tactics, demanding ransom payments and threatening to leak stolen data.
The 8Base gang has established a dark web extortion site where they list their victims. Since its launch in May 2023, the gang has added 35 victims to the site, with some days witnessing the announcement of up to six victims at once. This marks a considerable increase compared to their earlier activity, where only a handful of victims were listed.
The gang presents themselves as “honest and simple” pentesters, claiming to offer companies favorable conditions for data recovery. Their data leak site emphasizes the negligence of targeted companies regarding the privacy and importance of employee and customer data.
According to a report by VMware’s Carbon Black team, the tactics employed by 8Base indicate a possible rebranding of the well-established ransomware group RansomHouse. While RansomHouse claims to focus solely on data sales without engaging in encryption attacks, there have been instances where threat actors associated with RansomHouse have utilized ransomware in their operations, such as White Rabbit or MARIO, which has links to the cybercrime group FIN8.
The similarities between 8Base and RansomHouse are evident in their ransom notes and leak site content, with even the FAQ pages appearing to be copy-pasted. However, it remains unclear whether 8Base is an offshoot of RansomHouse or another ransomware group imitating their established techniques. Such replication among threat actors is not uncommon.
From a technical perspective, 8Base utilizes a modified version of the Phobos v2.9.1 ransomware, which is distributed via SmokeLoader. Phobos, an Ransomware-as-a-Service (RaaS) operation that emerged in 2019, shares code similarities with the Dharma ransomware. The encrypted files in recent 8Base attacks bear the .8base extension, although previous submissions to ID Ransomware using Phobos also featured the .eight extension.
Further investigation by VMware’s analysts revealed that 8Base employs the domain “admlogs25[.]xyz” for hosting their payloads, which is linked to SystemBC, a proxy malware utilized by multiple ransomware groups for command-and-control obfuscation.
While 8Base is gaining attention from analysts, many aspects of its technical capabilities and operations remain unknown. It is evident that the group has been conducting encryption attacks for at least a year, but their recent establishment of a data leak site has brought them into the spotlight.
“Whether 8Base is an offshoot of Phobos or RansomHouse remains to be seen. It is interesting that 8Base is nearly identical to RansomHouse and uses Phobos Ransomware. At present, 8Base remains one of the top active ransomware groups this summer (2023)”, they summarize