New ransomware gang 8BASE behind surge of May attacks

A new study reveals the number of ransomware attacks on organizations worldwide surged nearly 25% in May, the highest amount recorded so far this year – and the increase is partly due to a new gang on the scene known as 8BASE.

A new Cyber Threat Intelligence research report by NCC Group, one of the world’s largest cybersecurity consulting firms, proves that May 2023 was a banner month for ransomware attacks.

The May surge, when compared to ransomware statistics from the previous month, showed a 56% increase in the number of attacks reported.

The research shows there were a total of 436 ransomware victims reported in May, compared to April's figure of 352.

“We continue to see heightened levels of ransomware activity in 2023, as each passing month surpasses the volume of attacks witnessed during the same period in the previous year, said Matt Hull, Global Head of Threat Intelligence at NCC Group.

Part of the reason for the spike can be attributed to a new ransomware kid on the block, a group calling themselves 8BASE.

The gang was responsible for publishing the data of 67 victims in last month, more than 15% of all victims from May.

8BASE leak site  logo
8BASE leak site

The report found a second ransomware group, known as Akira, also made significant waves in the hacker-sphere this May but seems to have a more limited online presence than other groups.

The gang carried out 28 attacks in May – their highest on record and a 250% increase compared to only six victims in April, the study found. Akira was only first discovered in March.

Hull said, “The emergence of new ransomware groups like 8base and Akira raises equal concerns and warrants attention,” even if the notorious Lockbit gang is still considered the most active threat actor at present.

Nudging out 8BASE, Lockbit 3.0 were responsible for 18% (78 victims) of the attacks in May and remains the most active threat actor in 2023, despite a 27% drop in attacks compared to April (107 victims), the report stated.

The research team also noted several other new ransomware groups active in May; BlackSuit, MalasLocker, and RAGroup.

High profile targets become the norm

Besides the research, Hull said the volume of attacks targeting high-profile organizations is also trending this year.

Hull said those attacks have been “predominantly led by Russian-speaking threat actor Cl0p,” referring to this month's Cl0p exploits of the Moveit file transfer system and its March zero-day attacks on the Fortra Go Anywhere file management system.

Roughly 130 victims were claimed in the Go Anywhere attacks, while the MOVEIt third-party software is currently in use by thousands of companies worldwide.

Security insiders estimate the number of victims of the MOVEit breach – including major companies Shell, British Airways, Ernst & Young, NortonLife Lock, and Telos – will easily surpass the 200 mark as the gang releases more victim names each day.

GoAnywhere victims include Hitachi, Procter & Gamble (P&G), Rubrik, Shell and Virgin.

The MOVEit exploit “has led to greater public attention towards the evolving threat landscape, which contributes to a growing understanding of the severity and impact of ransomware incidents can have, and why organizations must be proactive in their cyber defenses,” Hull said.

What we know about 8BASE

According to the intelligence report, one of the reasons cited for the high number of attacks attributed to 8BASE is that much of the data released by the group last month included attacks dating back to April 2022.

As typical for a dark leak site, the group has a page dedicated to victims and its downloads, a set of rules for negotiating, and will only accept a ransom payment in Bitcoin.

8BASE, like most other gangs, also claims that they're “honest and simple pentesters” looking to make a buck for the greater good.

“We are honest and simple pentesters. We offer companies the most loyal conditions for the return of their data,“ the group posted in its "About Us" section.

“This list contains only those companies that have neglected the privacy and importance of the data of their employees and customers,” 8BASE said.

8BASE About US
8BASE leak site

Meanwhile, 8BASE’s Telegram channel tells quite a different story.

The gang, which only created the account on May 15th, shows dozens of posts filled with downloadable files containing what appears to be troves of identifiable company records, employee IDs, driver’s licenses, and passports from companies in South America, Panama, Australia, and the US.

Besides at least half a dozen law offices and legal entities, alleged 8BASE victims include those from the technology, agricultural, transportation, and financial sectors.

8BASE passports Telegram
8BASE, Telegram

The latest victim posted on the 8BASE leak site, on June 19th, is the Port Blue Hotel Group, a chain of exclusive hotels located on the coast of Spain.

“Port Blue Hotel Group is a chain of boutique hotels in ideal places to relax,” the group posted.

“Never the less, they do not know how to store personal data, especially the passports of their clients,” the group said.

“More than 300 lines of passports and other personal data were downloaded,” 8BASE claimed.

The gang gave the hotel group a deadline of June 26th to pay an undisclosed ransom or its data will be published.

8BASE Telegram Port Blue Hotels

According to the NCC intelligence report, 8BASE typically uses “double extortion” on its victims.

In a double extortion attack, the hackers will breach their target and exfiltrate what sensitive information they can access, all before encrypting the company’s data files and/or network servers.

The hackers then demand a payout – not only to hand over a decryption key to the victim but to delete the data stolen in the breach.

The method most likely evolved as organizations began to proactively create and store back-ups of their network systems, making a decryption key unnecessary for most companies to restore their data.

Even if a company requires and negotiates for the decryption key, it may find the data irreparably damaged once restored.

Additionally, the hackers, who can easily make copies of the stolen data for future use, may decide to publish or sell the data anyway, despite a ransom being paid.

Location meets industry sector

Other trends that stood out in the research included how groups targeted victims based on their geographic location, industry sector, and type of data.

Not surprisingly, North America led the pack as the world's most targeted region in May, claiming more than half of all victims.

About 24% of attacks happened in Europe followed by 8% in South America, which is still an 89% increase for the southern continent also resulting from 8BASE’s fifteen victims in the region.

As for industry? The industrial sector was the top target at 30% and technology next at 15%, increasing three-fold from the previous month. Consumer cyclical industries, such as real estate, entertainment, and retail, made up the rest of the affected sectors.

The most popular types of data for cybercriminals to go after are personally identifiable information (PII) and intellectual property (IP).