8Base Ransomware Gang
8Base Ransomware Gang Escalates Double Extortion Attacks in June

In June, the 8Base ransomware gang has significantly intensified its double extortion attacks, posing a growing threat to organizations worldwide. There has been a steady stream of new victims falling prey to this malicious group. 8Base initially appears on the scene in March 2022 with relatively few notable attacks. Its recent surge in activity and adoption of double extortion tactics have raised alarm bells across various industries.

During the month of June alone, 8Base has added a staggering 35 victims to its dark web extortion site. Sometimes revealing up to six victims in a single day. This sharp increase in victims is a striking contrast to the modest numbers in March and April.

The “Honest and Simple” Approach

The gang’s data leak site came to light in May 2023. The 8Base gang presents itself as “honest and simple” pentesters. On their data leak site, they offer companies favorable conditions for the return of their data. However, their list of victims only includes those companies that have could to prioritize the privacy and security.

Connection to Other Ransomware Groups

A recent report by VMware’s Carbon Black team suggests that the tactics of 8Base in their recent attacks. This indicates a possible rebranding of a well-established ransomware organization known as RansomHouse. RansomHouse, a notorious extortion group, claims to refrain from conducting encryption attacks themselves. But instead collaborates with other ransomware operations to sell stolen data. However, it is worth noting that threat actors associated with RansomHouse have also been linked to encryption attacks. This includes those attributed to White Rabbit or MARIO, and the cybercrime group FIN8.

Based on the identical ransom notes used by both groups and the strikingly similar language and content found on their respective leak sites, VMware suspects that 8Base could be an offshoot of RansomHouse. Even the Frequently Asked Questions (FAQ) pages on their leak sites appear to have been copied verbatim. However, further evidence is must to determine whether 8Base emerged from former RansomHouse members.

Technical Insights and Attack Methods of 8Base Ransomware Gang

From a technical standpoint, 8Base employs a customized version of the Phobos v2.9.1 ransomware, which is distributed via SmokeLoader. Phobos, a ransomware-as-a-service (RaaS) operation primarily targeting Windows systems, first surfaced in 2019 and shares several code similarities with the Dharma ransomware.

In recent attacks, 8Base appends the “.8base” extension to encrypted files. However, security expert Michael Gillespie revealed that older Phobos ransomware submissions on ID Ransomware also utilized the “.eight” extension. Interestingly, the contact email address “[email protected]” has been associated with 8Base since June 2022, regardless of the extension used.

Furthermore, VMware’s analysts discovered that 8Base leverages the “admlogs25[.]xyz” domain for hosting their payloads, which is linked to SystemBC, a proxy malware used by multiple ransomware groups for command-and-control (C2) obfuscation.

Unveiling the Unknown – 8Base Ransomware Gang

As 8Base only recently started gaining attention from analysts, numerous aspects of its technical infrastructure and operations remain shrouded in mystery. VMware’s report, however, does provide indicators of compromise (IoCs) that defenders can utilize to safeguard their systems against this emerging threat.

In conclusion, the 8Base ransomware gang has rapidly escalated its activities, employing double extortion tactics and targeting organizations worldwide. The group’s affiliation with other ransomware organizations, such as RansomHouse, raises questions about its origins and motives. By leveraging customized versions of the Phobos ransomware and utilizing proxy malware, 8Base has managed to encrypt files and compromise numerous victims. As security experts continue to investigate this evolving threat, it is essential for organizations to remain vigilant and employ the provided IoCs to fortify their defenses against the 8Base ransomware gang.