A new ransomware group – known as 8BASE – is already making waves this summer following a record number of victims named in May. Cybernews takes you on a deep dive into what we know about the gang so far.
8BASE may have quietly made their mark, claiming their spot as the new kid on the block last month with a whopping number of breaches and troves of published data, but apparently not quiet enough.
The gang’s handi-work in the hacker sphere – contributing to a 25% rise in worldwide ransom attacks this May – made it into several security research reports released in the past week.
In fact, 8BASE was responsible for more than 15% of all ransomware victims last month, according to a June threat intelligence study by cybersecurity consulting firm NCC Group.
To be fair, the intelligence report also revealed that 8BASE’s high victim count for May included names and data from previous ransom attacks carried out by the gang dating back to April 2022.
For comparison sake, Lockbit 3.0, still the most active threat actor in 2023 so far, was responsible for 18% of the attacks in May, totaling 78 victims, the report said.
Even newer research by the VMware Threat Analysis Unit (TAU) and Managed Detection Response (MDR) teams labeled 8BASE as one of the top three most active ransomware groups in the last 30 days.
The VMware Carbon Black report, released Wednesday morning, also found the gang to have many similarities to other existing ransomware groups – more on that down below.
8BASE is said to have first come on the ransomware scene in March 2022, but “with a significant spike in activity in June of 2023, the VMware report showed.
At this time, there is not enough information available to determine how big or small the group is, where the gang's home base of operations is located, or if 8BASE is backed by any nation-state entities or governments.
8BASE’s all caps logo design is posted at the top of its dedicated dark leak site and includes the group’s tagline “YOUR DATA IS NOT SAFE.”
As typical for a dark leak site, the group has a page dedicated to victims and its downloads, a set of rules for negotiating, and will only accept a ransom payment in Bitcoin.
8BASE, like most other gangs, also claims that they're “honest and simple pentesters” looking to make a buck for the greater good.
“We are honest and simple pentesters. We offer companies the most loyal conditions for the return of their data,“ the group states in its "About Us" section.
“This list contains only those companies that have neglected the privacy and importance of the data of their employees and customers,” 8BASE said.
Currently, 8BASE has multiple communication streams besides its dark leak site contact form, including several encrypted Telegram channels, as well as an active profile on Twitter, which is less expected for a ransomware group as the social networking platform is not the most secure.
Ironically, 8BASE, whose Twitter profile shows just over 100 tweets dating back to May 13th, happens to follow Cybernews.
Presently the group has 147 followers, although the profile shows the account was mysteriously created back in September of 2014.
"We have a lot of data of companies that during this year have decided that money is more important than the privacy of their customers and employees," the group's second Twitter post said on May 14.
More unusual, 8BASE offers to remove the personal data of individuals who may be involved or working for the victim organization, upon direct request.
“In case the [8BASE] team decides to publish the data containing personal information, individuals can contact us via our Official Telegram Channel or dedicated Telegram Channels referenced at company's details profile with a removal request, in addition we will try to do this ourselves before making the data public,” the group states on its Frequently Asked Questions page.
The group states if a person’s information has already been published, along with the company’s stolen data, before the request is made, then that individual is out of luck.
8BASE targets a variety of victims
According to VMware, besides being highly active, the group commonly targets smaller businesses.
8BASE’s Telegram channel, newly created on May 15th, shows dozens of posts filled with downloadable files containing what appears to be troves of identifiable company records, employee IDs, driver’s licenses, and passports from various companies located across the world, including South America, Panama, Australia, and the US.
May's ransomware spike included at least 15 victims alone from South America.
Besides at least half a dozen law offices and legal entities posted on Telegram, alleged 8BASE victims named include those from the technology, manufacturing, agricultural, transportation, and financial sectors.
VMware research shows the ransom group's top ten targeted industries, with business services coming in at number one, real estate and construction in the middle, and food-related industries coming in last.
The latest victim posted on 8BASE's Telegram channel on June 27th is the US-based Akin Law Firm, with offices in both Texas and Colorado.
“We have a large number of files. For demonstration, some of them are presented here. The entire amount of data has already been uploaded to the site, enjoy!,” the gang posted. with about a dozen leaked files ranging from employee tax forms to client court records.
Another recent 8BASE victim, the Port Blue Hotel Group, a chain of exclusive hotels located on the coast of Spain was posted on the dark leak site on June 19th.
"More than 300 lines of passports and other personal data were downloaded," 8BASE claimed. giving the hotel group a deadline of June 26th to pay an undisclosed ransom or its data will be published.
So far, that data does not appear to be published, and only the word EXPIRED in red letters now appears on the hotel group's individual leak page, leaving Cybernews to wonder if Port Blue paid a ransom demand.
Methods, ransomware and similarities
According to the both the NCC intelligence report and VMware, 8BASE typically uses the common “double extortion” ransomware method on its victims.
In a double extortion attack, the gang will breach their target and steal what sensitive information they can access, all before encrypting the company’s data files and/or network servers.
The threat actors then demand a payout – not only to hand over a decryption key to the victim but to delete the data stolen in the attack.
What makes the VMware research most interesting is that it found significant similarities between 8BASE and another ransomware group known as RansomHouse, leading the team to wonder if 8BASE could possibly be either a copycat or an offshoot of the latter ransom group.
“It is up for debate on whether RansomHouse is a real ransomware group or not; the group buys already leaked data, partners with data leak sites, and then extorts companies for money,” the research said.
First, VMware found the linguistics used in ransom notes sampled from both groups matched 99%. The researchers next found that the language used on both leak sites was also nearly identical when compared side by side.
The verbiage is copied word for word from the RansomHouse welcome page to the 8BASE welcome page, VMware said. The same goes for both the Terms of Service pages and FAQ pages when comparing the dark leak sites.
One major difference found in the report showed "that RansomHouse advertises their partnerships and is openly recruiting for partnerships, whereas 8Base is not."
Another noted difference between the two groups is the set up and formatting of the actual victim leak pages.
Lastly, the researchers found both groups also do not use a signature ransomware strain, instead using what is available on the dark market.
VMware also found one of the ransomware samples used recently by 8BASE was Phobos version 2.9.1 loaded with SmokeLoader, known as a ransomware-as-a-service (RAAS).
It was discovered through a Phobos sample using a “.8base” file extension on encrypted files that VMware recovered.
"Even though 8Base added their own branding customization by appending “.8base” to their encrypted files, the format of the entire appended portion was the same as Phobos, which included an ID section, an email address, and then the file extension," VMware said.
Additional analysis showed the 8BASE sample had been downloaded from a domain associated with the remote administration tool SystemBC, commonly used by other ransomware groups to encrypt and conceal the destination of the attackers’ Command and Control traffic, the report said.
As with all ransomware, VMware highly recommends organizations use some type of endpoint detection software as a security measure to help catch ransomware, before it magnifies.
More from Cybernews:
Subscribe to our newsletter