The 8Base ransomware has maintained a covert presence, eluding detection for an extended period exceeding one year. However, recent observations reveal a significant escalation in its operations during May and June. It is evident that 8Base has been active since at least March 2022. The perpetrators self-identify as "simple pentesters," denoting a modest skill level in the realm of penetration testing.
Diving into details
As of May, research conducted by Malwarebytes and NCC Group has correlated 8Base with a total of 67 attacks.
- Among these incidents, approximately half of the affected entities operate within the business services, manufacturing, and construction sectors. Predominantly, the targeted companies are situated in the U.S. and Brazil, signifying a geographic focus.
- During June, the activities of the ransomware operation exhibited a significant surge. Notably, the perpetrators adopted a double extortion strategy, increasing the stakes for their victims.
- The dark web extortion site affiliated with 8Base has thus far displayed a list of 35 identified victims. On certain days, the ransomware operators have even unveiled multiple victims simultaneously, with reported instances of up to six companies falling prey to their malicious actions.
Connections to other ransomware groups
- VMware's Carbon Black team suggests that 8Base, based on its recent attack tactics, may be a rebranding of the well-known ransomware group RansomHouse.
- The similarities in ransom notes and content on leak sites, including identical FAQ pages, support this hypothesis. While RansomHouse openly promotes partnerships, 8Base does not.
- Interestingly, VMware discovered a Phobos ransomware sample using the ".8base" file extension, suggesting 8Base could be a successor or utilizing existing ransomware strains.
The researchers conclude that 8Base's operational efficiency indicates the continuation of a mature organization, but it remains uncertain whether it stems from Phobos or RansomHouse.
The bottom line
At this juncture, speculation arises concerning 8Base's utilization of multiple ransomware strains, be it as previous iterations or as an integral facet of its standard modus operandi. Nonetheless, it is well-established that this group exhibits a high level of activity, with a particular focus on targeting smaller businesses.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/ce38_Blog_CharmingKitten3_3.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/2b1d_shutterstock_2292513295_1.jpg)
