Group Listed Nearly 40 Victims on its Dark Web Leak Site So Far This Month
New entrant ransomware group 8Base is fast becoming a “big player” in the underground market with nearly 40 victims in June – second only to the notorious LockBit ransomware gang.
The group hit nearly 80 organizations since March 2022 and uses double-extortion tactics of encryption and “name-and-shame,” according to a new report from VMware.
8Base was responsible for 15% of the attacks in May, as the group began releasing data from victims breached between April 2022 and May 2023, said another report from the NCC Group, last week. Ransomware attacks soared in May with 436 victims. Lockbit 3.0 remained the most active threat actor in 2023 with 78 known victims and 18% of all incidents tracked in May.
The majority of 8Base targets are in the industrial sector, the NCC Group said. VMware added business services, finance, manufacturing and IT industries to this list. The group so far listed 38 victims in June, and along with its leak site also uses a Twitter account and Telegram channel to publicize its victims’ names.
The 8Base group’s activity is similar to the less-active RansomHouse ransomware gang, which buys leaked data, partners with data leak sites and then extorts companies for money.
The language on the leak sites, the ransom note and the terms of service and FAQ pages of the two ransomware groups is eerily similar, VMware said. The two major differences between the groups is the graphical user interface and the fact that RansomHouse is openly recruiting partners, and 8Base is not.
Both groups also use multiple ransomware variants in their campaigns – the Phobos family variants. Phobos operates as ransomware-as-a-service and 8Base possibly adopted it, adding customizations such as appending the encrypted files with the victim’s ID, firstname.lastname@example.org email address, and an “
.8base” extension. 8Base was observed using Phobos version 2.9.1 and is loaded using SmokeLoader, VMware said.
“Given the similarity between the two, we were presented with the question of whether 8Base may be an offshoot of RansomHouse or a copycat. Unfortunately, RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn’t have its own signature ransomware as a basis for comparison,” VMware said.
Malware research site vx-underground compared 8Base’s output to the “Big 3,” which includes Conti, Lockbit and ALPHV ransomware groups. It defines these as the “largest and most prolific ransomware groups” of recent times and considers 8Base to be an internal group or sub-clique of Lockbit ransomware group that decided to form its own group. Vx-underground predicts that “in the coming months they will become a big player in the ransomware scene.”