Based on new research from VMware, 8Base ransomware group, previously unknown, has recently gained significant attention due to a surge in its activities during the summer of 2023. The group employs encryption techniques along with "name-and-shame" tactics to coerce victims into paying ransoms. While the motives and identities of 8Base remain elusive, they have targeted victims across diverse industries.
Operating since March 2022, 8Base experienced a notable spike in activity in June 2023. Describing themselves as "simple pentesters," the group communicates with victims through a leak site, providing victim details, frequently asked questions (FAQs), rules sections, and various contact methods. Strikingly, their communication style closely resembles that of another known group, RansomHouse.
Among the industries targeted by 8Base are Business Services, Finance, Manufacturing, and Information Technology. The group employs communication channels such as a Telegram channel and a Twitter account to engage with their victims.
A close examination reveals intriguing similarities between 8Base and RansomHouse. Both groups exhibit nearly identical ransom notes, and their respective leak sites feature strikingly similar language and structure. However, there are two notable distinctions: RansomHouse actively seeks partnerships and recruits allies, while 8Base does not. Additionally, 8Base appears to utilize different ransomware strains, including an earlier version of Phobos ransomware that appends encrypted files with the ".8base" extension.
Analysis by VMware Carbon Black's TAU and MDR-POC teams sheds light on the connection between 8Base and RansomHouse. The investigation reveals that the 8Base sample analyzed was a variant of Phobos ransomware, specifically version 2.9.1 loaded with SmokeLoader. The sample was retrieved from a domain associated with SystemBC, a proxy and remote administration tool used by other ransomware groups.
VMware Carbon Black recommends its Managed Detection and Response (MDR) solution for effective ransomware detection and prevention. By utilizing the platform's active rule set, organizations can detect and block 8Base ransomware. Proactive threat hunting, employing the provided indicators of compromise, helps organizations stay ahead of potential risks and maintain a strong security posture.
The emergence of the 8Base ransomware group as a significant player highlights the need for robust protection against ransomware attacks, particularly for smaller businesses. As the connection between 8Base, RansomHouse, and Phobos ransomware remains speculative, organizations must remain vigilant and adopt advanced security solutions to counter evolving threats.
###