A ransomware threat called 8 base The activity, which has been operating in obscurity for over a year, is believed to be the result of a “massive surge in activity” in May and June 2023.
In a report shared with The Hacker News, VMware Carbon Black researchers Deborah Snyder and Fae Carlisle said, “The group used a combination of encryption and ‘stigmatizing’ techniques to harass victims. We are forcing them to pay a ransom,” he said. “8Base has an opportunistic compromise pattern with recent victims across a variety of industries.”
According to statistics collected by Malwarebytes and NCC Group, as of May 2023, 8Base has been implicated in 67 attacks, with approximately 50% of victims working in the business services, manufacturing and construction sectors. Most of the targeted companies are based in the United States and Brazil.
Little is known about the operators of this ransomware and its origins remain cryptic. What is clear is that it has been active since at least March 2022, with the attackers calling themselves “simple penetration testers.”
VMware said 8Base was “startlingly” similar to another data extortion group tracked as RansomHouse, citing the ransom notes dropped on compromised machines and the language used in their respective data breach portals. mentioned the duplication of
“This statement was copied verbatim from the RansomHouse welcome page to the 8Base welcome page,” the researchers said. “This applies to the Terms of Service page and FAQ page.”
Comparing the two threat groups, we can see that RansomHouse openly advertises their partnership, while 8Base does not. Another important differentiator is leak pages.
However, in an interesting development, VMware noted that they were able to identify Phobos ransomware that uses the “.8base” file extension for encrypted files, suggesting that 8Base could be Phobos’ successor, or that the attackers increased the likelihood that they were simply using ransomware. You don’t have to develop your own custom locker, you can take advantage of existing ransomware strains.
“The speed and efficiency of 8Base’s current operations do not mark the beginning of a new group, but rather the continuation of an established and mature organization,” the researchers said. “I still don’t know if 8Base is an offshoot of his Phobos or RansomHouse.”
8Base is part of a wave of ransomware newcomers entering the market, including CryptNet, Xollam and Mallux. Known families such as BlackCat, LockBit, and Trigona have also witnessed continuous updates to their functionality and attack chains to extend their reach beyond Windows. Linux and macOS systems.
One example cited by Cyble was the use of BATLOADER to deploy Mallox, where threat actors actively refined their tactics to “increase evasiveness and sustain malicious activity.” It suggests that
“Groups have adopted code from other groups, and affiliates, themselves considered cybercriminal groups, have switched between different types of malware,” Kaspersky said in an analysis last week. “Each group is working to upgrade their malware, adding functionality and providing support for multiple platforms that were previously unsupported. This is a trend that has been around for some time.”
