8base ransomware: overlooked but spiking.
By Tim Nodar, CyberWire senior staff writer.
Jun 29, 2023

8base ransomware is attracting new notice as it hits new victims.

8base ransomware: overlooked but spiking.

VMware has published a report looking at the 8Base ransomware group: “8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023. Describing themselves as ‘simple pen testers,’ their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. What is interesting about 8Base’s communication style is the use of verbiage strikingly familiar to another known group, RansomHouse.”

The threat actor primarily targets organizations in the business services, finance, manufacturing, and IT sectors. Over the past thirty days, 8Base was in the top two most active ransomware gangs.

Ransomware isn't abating.

Jon Miller, CEO & Co-founder at Halcyon, offered the following observations: 

“Groups like 8Base demonstrate that we have not even begun to see an abatement of the ransomware problem, and it is only a matter of time before we see some really big, disruptive attacks against our critical infrastructure providers. With a precipitous decline in attacks over 2022, some researchers supposed that ransomware 2023 attack volumes would also show a decline. However, the fact is that ransomware is still the number one threat to organizations, with dozens of new groups emerging. 

“March 2023 will go down in the books as the most prolific period so far for the volume of ransomware attacks observed, with research indicating there were 459 successful attacks, up 91% from February volume and up 62% year-over-year. It is more than apparent that the majority of ransomware gangs are either loosely affiliated or wholly controlled by the Russian government, with ample overlap between threat actors, tooling, and attack infrastructure. 

“The observed overlap between threat groups, their code base, TTPs and other indicators of compromise makes the task of tracking these groups even more difficult. We typically had RaaS providers who used the same moniker as their ransomware variant. We will never be able to stop ransomware attacks, but we can stop them from being successful by arresting the attack at ingress or lateral movement; by preventing data exfiltration; by blocking execution of the ransomware payload; by rapidly recovering systems and minimizing downtime.” 

Cybergangs remain as protean as ever.

James McQuiggan, Security Awareness Advocate at KnowBe4, commented: 

“Time and time again, it's been discovered that cybercriminal groups disband and go off and start their ventures to attack organizations and hold them for ransom through double extortion techniques. Other groups have done activities like 8Base from RansomHouse, Ryuk to Conti, Maze to Egregor, and GandCrab to Sodinokibi. While these are 100% attributable, when a new group emerged around the same time the other one closed, it can be more than a coincidence that certain members transitioned to form a new group. While these cybercriminal groups break off and form different named groups or combine to be more actionable, organizations need to be aware of the groups through their threat intelligence groups, monitor the group's activity, and take the necessary precautions to mitigate the risk of an attack.”