The sudden increase in the activity of the 8Base ransomware group in June 2023 has raised concerns among security professionals and industries. This well-established organization is executing attacks using encryption and “name-and-shame” techniques to force victims to pay their ransoms in Bitcoin.
The group primarily targets small business services, manufacturing, and construction sectors, encrypting files and appending the “.8base” extension to them. Although the specific type of ransomware used by this group remains unknown, their techniques and ransom notes bear similarities to other ransomware groups.
The 8Base ransomware group, which portrays itself as an “honest and simple pentester,” has been active since March 2022. Victims can access information about the attack by visiting a dedicated webpage designed for victims and its downloads. This webpage provides a set of negotiation rules and various methods to contact the group.
According to analysis conducted by VMware Carbon Black’s TAU and MDR-POC teams, the 8Base ransomware group has become one of the top-performing ransomware groups, ranking just behind Lockbit. The analysis also revealed statistical similarities between 8Base and other ransomware groups like RansomHouse and Phobos.
Comparisons made using an unsupervised machine-learning algorithm called Doc2Vec showed that both 8Base and RansomHouse use similar ransom notes. Additionally, the language used on their leak sites is almost identical, with verbiage directly copied from RansomHouse’s welcome page to 8Base’s welcome page. Furthermore, their Terms of Service and FAQ pages also exhibit similarities.
Despite these similarities, there are notable differences between 8Base and RansomHouse. RansomHouse openly advertises partnerships and actively recruits for collaborations, while 8Base does not. Another significant difference lies in their leak pages. While RansomHouse relies on a wide variety of ransomware available on dark markets and does not have its own signature ransomware, 8Base does.
When comparing 8Base to Phobos ransomware, it is evident that both groups append the extension “.8base” to encrypted files. A closer examination revealed that 8Base was using Phobos ransomware version 2.9.1 with SmokeLoader for initial obfuscation, unpacking, and loading of the ransomware. However, there were key differences in the ransom notes, with Phobos including Jabber instructions and the term “phobos” in the top and bottom corners, while 8Base had “cartilage” in the top corner, a purple background, and no Jabber instructions. The format of the appended portion of the files in 8Base closely resembled that of Phobos.
Further analysis indicated that the 8Base sample had been downloaded from the domain admlogs25[.]xyz, which appears to be associated with SystemBC, a proxy and remote administration tool. SystemBC has been utilized by other ransomware groups as a means to encrypt and conceal the destination of their Command and Control traffic. Although the 8Base ransom group adopts elements from other ransomware groups, it remains unclear whether it originated from Phobos or RansomHouse.
In conclusion, the 8Base ransomware group has emerged as a significant threat in the cybersecurity landscape. Their use of encryption and “name-and-shame” techniques, as well as their adoption of codes and TTPs from other ransomware groups, underscores the need for robust security measures to protect businesses from such attacks.