8Base ransomware group leaks data of 67 victim organizations

Lockbit 3.0 is currently the most active ransomware group, NCC Group says in its most recent Threat Pulse report, but new ransomware groups like 8Base and Akira are rising in prominence.

Collectively, the various ransomware groups revealed 436 victim organizations in May 2023 – 24% more than in April 2023 (352), and 56% more that in May 2022.

This considerable increase can be attributed, in part, to the 8Base ransomware group, which released data from 67 victims they breached between April 2022 and May 2023

About 8Base ransomware group

According to VMware Carbon Black’s Threat Analysis Unit (TAU), the group has been active since March 2022, but its activity has become more prominent now due to the significant number of data dumps released in May.

The group mainly targets small and medium size businesses (SMBs) in the business services, finance, manufacturing, and information technology sectors, and utilizes a double extortion strategy.

“The 8Base ransomware is distributed through a variety of methods, including phishing emails, drive-by downloads, and exploit kits,” ThreatMon noted in a recent report.

The most interesting thing about the group, though, is that its communication style is strikingly familiar to that used by RansomHouse, another cyber extortion group whose activites were first spotted in May 2022.

The similarities between 8Base and RansomHouse

“Based on the current available information, certain aspects of 8Base’s current operations look eerily similar to ransomware operations we have seen in the past,” VMware’s threat analysts noted.

Linguistic analysis has revealed that the ransom notes, welcome pages of leak sites, terms of service pages, and FAQ pages of the two groups share the same language and writing style.

8Base (blue) compared to RansomHouse (red) ransom notes (Source: VMware Carbon Black’s Threat Analysis Unit)

They also observed two major differences:

• RansomHouse openly advertises their partnerships and actively recruits for new ones, while 8Base does not
• The design of the leak pages differs between the two groups

“RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn’t have their own signature ransomware as a basis for comparison,” the VMware TAU team noted.

8Base similarly uses various ransomware, and one of them is a variant of the Phobos ransomware.

“Comparison of Phobos and the 8Base sample revealed that 8Base was using Phobos version 2.9.1 loaded with SmokeLoader. With Phobos ransomware being available as a ransomware-as-a-service (RAAS), this is not a surprise,” they added.

“Even though 8Base added their own branding customization by appending ‘.8base’ to their encrypted files, the format of the entire appended portion was the same as Phobos which included an ID section, an email address, and then the file extension.”

“There is a lot of discussion on what exactly is RansomHouse since they try to claim they do not use ransomware, but it has been publicly reported that they use MarioLocker and White Rabbit Ransomware ransom notes,” VMware TAU told Help Net Security. “RansomHouse is still active with victims added to their leak site as recently as June 14th and 15th this year.”

So, is 8Base an offshoot of Phobos or RansomHouse? It remains to be seen, the analysts say. “The speed and efficiency of 8Base’s current operations does not indicate the start of a new group but rather signifies the continuation of a well-established mature organization.”