A 8Base ransomware gang is targeting organizations worldwide in double-extortion attacks, with a steady stream of new victims since the beginning of June.
The ransomware gang first appeared in March 2022, staying relatively quiet with few notable attacks.
However, in June 2023, the ransomware operation saw a spike in activity, targeting many companies in various industries and performing double extortion.
So far 8Base has listed 35 victims on its dark web extortion site, with some days announcing up to six victims at once.
This is a notable increase compared to March and April, when the group listed only a handful of victims, as shown in the graph below.
The gang’s data leak site launched in May 2023, with the extortion gang claiming to be “honest and simple” pentesters.
“We are honest and simple pentesters. We offer companies the most loyal conditions for the return of their data,” reads their data leak site.
“This list contains only those companies that have neglected the privacy and importance of the data of their employees and customers.”
Links to other ransomware groups
In a new report by VMware’s Carbon Black team, the tactics seen in recent 8Base attacks point to them being a rebrand of a well-established ransomware organization, potentially RansomHouse.
RansomHouse is an extortion group that claims not to conduct encryption attacks but instead partners with ransomware operations to sell their data. However, BleepingComputer is aware of the threat actors utilizing ransomware in attacks, such as White Rabbit or MARIO, which has also been linked to the cybercrime group FIN8.
VMware suspects 8Base is an offshoot of RansomHouse based on the identical ransom notes used by the two groups and the very similar language and content seen in respective leak sites, where even the FAQ pages appear to have been copy-pasted.
However, there is not enough evidence to determine if 8Base was spawned by RansomHouse members or simply another ransomware operation copying an established group’s templates, which is not uncommon to see among threat actors.
From a technical perspective, 8Base uses a customized version of the Phobos v2.9.1 ransomware, which is loaded via SmokeLoader.
Phobos is a Windows-targeting RaaS operation that first appeared in 2019 and shares many code similarities with the Dharma ransomware operation.
When encrypting files, the ransomware will append the .8base extension in recent attacks. However, ransomware expert Michael Gillespie told BleepingComputer that Phobos ransomware submissions on ID Ransomware also used the .eight extension in older attacks.
BleepingComputer found that in both the newer attacks that append the .8base extension and the older .eight extension attacks, the same “[email protected]” contact email address was used as far back as June 2022.
Another notable finding by VMware’s analysts is that 8Base uses the “admlogs25[.]xyz” domain for payload hosting, which is associated with SystemBC, a proxy malware used by several ransomware groups use for C2 obfuscation.
These findings show that the 8Base operators have been conducting encryption attacks for at least a year but only recently making a name for themselves after launching their data leak site.
8Base is only now starting to get attention from analysts, so many aspects of its technical nature remain unknown or unclear.
VMware’s report contains indicators of compromise (IoCs) that defenders can use to protect their systems from this rising threat.