The sudden surge in the activity of 8base ransomware in June 2023 shows it is a well-established organization to execute attacks that alarms security professionals and industries.
The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms in Bitcoin.
They target small business services, manufacturing, and construction sectors and append the “.8base” extension on encrypted files.
The type of ransomware used by this group remains unknown, but the technique and ransom note used resembles other ransom groups.
Heavy-Hitting 8Base Ransomware
8base ransomware group, climbing themselves as “honest and simple pentester” has been active since March 2022.
Victims can uncover information on the attack by visiting a page dedicated to victims and its downloads.
It includes a set of rules for negotiations, as well as several methods to contact 8Base.
8Base ransomware group became one of the top two performing ransomware groups, right behind Lockbit.
Analysis conducted by VMware Carbon Black’s TAU and MDR-POC teams revealed some of its statistics similar to RansomHouse and Phobos.
Similarities Between 8Base and Ransomhouse
While analyzed through Doc2Vec,they have found both groups use similar ransom notes.
Doc2Vec is an unsupervised machine-learning algorithm that converts documents to vectors and can be used to identify similarities in documents.
Secondly,The language used in both the groups’ leak sites are nearly identical.
Additionally,The verbiage is copied word for word from RansomHouse’s welcome page to 8 Base’s welcome page.
Furthermore, their Terms of Service pages and FAQ pages are also similar.
The major difference between these two groups is that RansomHouse advertises its partnerships and is openly recruiting for partnerships, whereas 8Base is not.
The second major difference between the two threat actor groups is their leak pages.
RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn’t have its own signature ransomware as a basis for comparison.
Similarities between 8Base and Phobos Ransomware
When comparing Phobos with 8base ransomware, both appends the encrypted files with the”.8base” extension.
Another similarity between Phobos and the 8Base sample revealed that 8Base was using Phobos ransomware version 2.9.1 with SmokeLoader for initial obfuscation on ingress, unpacking, and loading of the ransomware.
Although their ransom notes were similar, key differences included Jabber instructions and “phobos” in the top and bottom corners of the Phobos ransomware.
While 8Base has “cartilage” in the top corner, a purple background, and no Jabber instructions.
The format of the entire appended portion of 8base was the same as Phobos, which included an ID section, an email address, and then the file extension.
Additional analysis shows the 8Base sample had been downloaded from the domain admlogs25[.]xyz – which appears to be associated with SystemBC, a proxy and remote administration tool.
SystemBC has been used by other ransomware groups as a way to encrypt and conceal the destination of the attackers’ Command and Control traffic.
