8Base Ransomware Attacks Show Spike in Activity

10 months ago AndyC

Ransomware attacks from the 8Base group claimed the second largest number of victims over the past 30 days, says VMware.

8Base Ransomware Attacks Show Spike in Activity

Ransomware attacks from the 8Base group claimed the second largest number of victims over the past 30 days, says VMware.

Screenshot of 8Base ransom group leak site.
Image: VMware

A ransomware group that likes to shame organizations into paying the ransom has shown a surge in activity, according to a Wednesday blog post from VMware. Known as 8Base, the group has been active since March 2022 but has recently captured the second-highest number of victims among known ransomware gangs.

Jump to:

Recent activity from the 8Base ransomware group

Analyzing ransomware attacks in June 2023, VMware found 8Base hit almost 80 victims over the past 30 days (Figure A), second only to the LockBit 3 gang, which compromised almost 100 organizations. Other ransomware groups with heavy activity over this period included ALPHV (BlackCat) with almost 40 victims, BianLian with more than 30 victims and Nokoyawa with more than 25 victims.

Figure A

8Base claimed the second largest number of ransomware victims over the past 30 days.
8Base claimed the second largest number of ransomware victims over the past 30 days. Image: VMware

Targeting sectors like business services, finance, manufacturing and IT, 8Base is known for using “name-and-shame” double-extortion tactics in which the group threatens to publish the encrypted files unless the ransom is paid. The idea is to embarrass the victim by exposing private or confidential information that could damage their brand or reputation.

Who is the 8Base ransomware group?

Despite the surge in ransomware attacks staged by 8Base, details about the group’s identity, methods and motivations largely remain a mystery, according to VMware. However, based on its leak site and public accounts, along with the group’s communications, its verbal style is quite similar to that of RansomHouse, a group that typically purchases already compromised data or works with data leak sites to extort victims.

Analyzing ransom notes from both 8Base and RansomHouse, VMware discovered a 99% match in the verbiage. 8Base’s welcome page, Terms of Service page and FAQ page are all directly copied word for word from RansomHouse. One difference in the communications is that RansomHouse openly seeks out other criminal groups for partnerships, while 8Base does not.

Another common thread between the two groups lies in the choice of ransomware. Both 8Base and RansomHouse use a variety of different ransomware strains, including a variant known as Phobos. Ultimately, the similarities trigger questions about whether 8Base is simply an offshoot of RansomHouse.

“Given the nature of the beast that is 8Base, we can only speculate at this time that they are using several different types of ransomware either as earlier variants or as part of their normal operating procedures,” VMware said in its blog post. “What we do know is that this group is highly active and targets smaller businesses.”

8Base’s leak site and public accounts

On its leak site, 8Base describes itself as “simple pen testers.” The site offers instructions to victims with sections for Frequently Asked Questions and Rules, along with multiple ways to contact the group. 8Base also has an official channel on the messaging service Telegram and an account on Twitter (Figure B).

Figure B

8Base's Twitter profile.
8Base’s Twitter profile. Image: VMware

How to protect your organization against 8Base and other ransomware

“From a ransomware detection perspective, the goal is to help organizations detect ransomware early, minimize the damage caused by an attack and recover from the attack as quickly as possible,” according to VMware’s Threat Analysis Unit.

Toward that end, an effective ransomware detection and recovery strategy includes the following three components:

  • Prevention: This is the first line of defense against ransomware attacks. Preventing an attack requires that you keep your critical systems and software updated, apply security best practices and train your employees on how to spot and evade phishing attacks.
  • Detection: Identifying ransomware attacks requires advanced detection tools. A key aspect here is endpoint protection, which uses behavioral analysis and machine learning to look for any unusual activity or behavior on your network.
  • Response: After detecting ransomware, you need to respond quickly to minimize the damage. Such a response entails isolating infected systems, quarantining affected files and preventing the spread of the damage to other systems.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , ,

More Stories

Showcasing Artwork by Max for Autism Awareness Month

Showcasing Artwork by Max for Autism Awareness Month

2 days ago AndyC
BeyondTrust Report: Microsoft Security Vulnerabilities Decreased by 5% in 2023

BeyondTrust Report: Microsoft Security Vulnerabilities Decreased by 5% in 2023

2 days ago AndyC
Malware campaign attempts abuse of defender binaries

Malware campaign attempts abuse of defender binaries

2 days ago AndyC
OpenAI’s GPT-4 Can Autonomously Exploit 87% of One-Day Vulnerabilities, Study Finds

OpenAI’s GPT-4 Can Autonomously Exploit 87% of One-Day Vulnerabilities, Study Finds

3 days ago AndyC
Women in Cybersecurity: ISC2 Survey Shows Pay Gap and Benefits of Inclusive Teams

Women in Cybersecurity: ISC2 Survey Shows Pay Gap and Benefits of Inclusive Teams

3 days ago AndyC
All You Need To Know About Security And Privacy Score on Quick Heal antivirus

All You Need To Know About Security And Privacy Score on Quick Heal antivirus

3 days ago AndyC

You may have missed

Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION

5 hours ago AndyC
Targeted operation against Ukraine exploited 7-year-old MS Office bug

Targeted operation against Ukraine exploited 7-year-old MS Office bug

5 hours ago AndyC
Weekly Update 397

Weekly Update 397

5 hours ago AndyC
What Would a TikTok Ban Mean?

What Would a TikTok Ban Mean?

5 hours ago AndyC
Hackers may have accessed thousands of accounts on California state welfare platform

Hackers may have accessed thousands of accounts on California state welfare platform

23 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.