8Base Ransomware Group Using Double Extortion Tactics in Cyberattacks

Since the beginning of June, an 8Base ransomware group has been targeting global companies in double-extortion operations, with a continuous stream of new victims. The ransomware group first appeared in March 2022, keeping a low profile with only a few significant strikes. However, in June 2023, the ransomware operation saw a surge of activities, hitting numerous companies across multiple industries using double extortion. 8Base has 35 victims listed on its dark web extortion site, with some days simultaneously declaring up to six victims. It significantly increased from March to April, when the group only named a few victims. The extortion group began its data leak site in May 2023, claiming to be “honest and simple” pen-testers. The data leak site states that the pen testers are honest and straightforward and offer companies the most loyal conditions for the return of their data. The list only includes companies that have ignored the privacy and importance of their employees’ and customers’ data.

The Tactics of New 8Base Ransomware Group

According to a new report from a cybersecurity team, the tactics used in recent 8Base ransomware attacks indicate that the group could be a rebrand of a well-known ransomware group, maybe RansomHouse. RansomHouse is an extortion group that says it doesn’t carry out encryption attacks but instead collaborates with ransomware operations to sell its data. Threat actors use ransomware in attacks, including White Rabbit or MARIO, both of which have been linked to the cybercrime group FIN8. Based on the same ransom notes used by the two groups and very similar language and content shown in respective leak sites, where the FAQ pages appear to have been copy-pasted, the 8Base ransomware is suspected to be an offshoot of RansomHouse. However, there’s insufficient information to tell whether 8Base was created by RansomHouse members or another ransomware operation cloning an established group’s blueprints, which is common among threat actors. Technically, 8Base employs a modified version of the Phobos v2.9.1 ransomware, which is loaded using SmokeLoader.

First appearing in 2019, Phobos is a RaaS operation targeting Windows and sharing numerous code similarities with the Dharma ransomware operation. In recent operations, the ransomware will attach the .8base extension when encrypting files. However, a ransomware researcher explained that Phobos ransomware submissions on ID Ransomware also utilize the .eight extension in prior operations. It was discovered that the same helpermail@onionmail.org contact email address was used in June 2022 in both newer attacks that append the .8base extension and older .eight extension attacks. Another interesting discovery is that 8Base hosts payloads on the admlogs25[.]XYZ domain is related to SystemBC, a proxy malware utilized by various ransomware groups for C2 obfuscation. According to the results, the 8Base ransomware operators have been executing encryption attacks for at least a year but have only lately made a name for themselves after creating their data leak site. Because 8Base is only now gaining analysts’ attention, numerous parts of its technological nature are unknown or ambiguous. The report includes indicators of compromise (IoCs) that defenders can use to protect their systems against the growing threat.

With the growing number of new ransomware groups appearing and using tactics including double extortion, companies must be aware of the latest threat landscape and regularly keep data backup at an off-site location. At SpearTip, our engineers will examine companies’ security postures to improve the weak points within their networks. Our team engages with their people, processes, and technologies to measure the maturity of their technical environments. Our experts provide technical roadmaps for all vulnerabilities uncovered for companies, ensuring they have the support and awareness to optimize their overall cybersecurity posture. Our ShadowSpear Platform, an integrable managed detection and response tool, exposes sophisticated unknown and advanced threats with comprehensive insights through unparalleled data normalization and visualizations. Additionally, ShadowSpear uses detection engines powered by artificial intelligence (AI) and attack tactics, techniques, and procedures (TTP) models to detect malicious activity on day one.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.