Ransomware threat called 8Base which has been operating under the radar for more than a year has been associated with a “massive spike in activity” in May and June 2023.
“The group uses encryption coupled with ‘name-and-shame’ techniques to force their victims to pay their ransoms,” VMware Carbon Black researchers Deborah Snyder and Fae Carlisle said in a report shared with The Hacker News. “8Base has a pattern of opportunistic compromise with recent victims spread across multiple industries.”
8Base, according to statistics compiled by Malwarebytes And NCC Grouphas been linked to 67 attacks as of May 2023, with around 50% of victims Operation in the business services, manufacturing, and construction sectors. The majority of targeted companies are located in the US and Brazil.
With very little known about the operators of the ransomware, its origins remain cipher-like. What is evident is that it has been active since at least March 2022 and the actors describe themselves as “simple pentesters”.
VMware says 8Base is “striking” similar to the others data blackmail group tracked as House of Ransomciting overlaps in the ransom notes dropped on the compromised machines and the language used in the respective data leak portals.
“Word for word copied verbatim from the RansomHouse welcome page to the 8Base welcome page,” the researchers said. “This applies to their Terms of Service page and FAQ page.”
A comparison of the two threat groups reveals that while RansomHouse openly advertises their partnership, 8Base does not. Another important differentiator is their leak page.
But in an interesting twist, VMware notes that it can identify a Phobos Ransomware samples using the “.8base” file extension for encrypted files, raising the possibility that 8Base could be a successor to Phobos or that attackers simply used an existing type of ransomware without having to develop their own custom locker.
“The current speed and efficiency of 8Base operations does not represent the start of a new group, but rather indicates continuation of an established mature organization,” the researchers said. “Whether 8Base is a fork of Phobos or RansomHouse remains to be seen.”
8Base is part of a ransomware startup wave enter the market like CryptNet, My uncleAnd Malloxeven famous families like BlackCat, LockBit, and Trigona have witnessed continuous updates to their features and attack chains to extend their horizons beyond Windows to infect Linux and macOS systems.
One of the examples highlighted by Cyble requires the use of a BATLOADER to deploy Mallox, suggesting that threat actors are actively refining their tactics to “enhance evasion and sustain their malicious activity”.
“Groups adopt other groups’ code, and affiliates — which could be considered cybercrime groups in their own right — switch between different types of malware,” Kaspersky said in last week’s analysis. “The group is working on updating their malware, adding features and providing support for some platforms that were not previously supported, a trend that has existed for some time now.”