New ransomware group starts to wreak havoc

A massive spike in ransomware activity in May and June 2023 has been attributed to a relatively unknown ransomware group called 8Base. 

"Although the 8Base Ransom Group is not necessarily a new group, their spike in activity recently has not gone unnoticed. Even within the past 30 days, it is within the top 2 performing ransom groups," VMware said in a report. "Not much was known publicly about the kind of ransomware used by 8Base other than the ransom note and that it appends encrypted files with the extension '.8base'."

The group utilizes encryption paired with "name-and-shame" techniques to compel its victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries, VMware said. 

8Base is a Ransomware group that has been active since March 2022. The group describes itself as "simple pen testers." Their leak site provides victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact the group.

VMware

The group has been linked to 67 attacks as of May 2023, with about half of the victims operating in the business services, manufacturing, and construction sectors. A majority of the targeted companies are located in the US and Brazil, according to statistics gathered by Malwarebytes and NCC Group. 

Similarities with RansomHouse

While reviewing 8Base, the researchers noticed there were significant similarities between the 8Base group and another group called RansomHouse. 

"It is up for debate whether RansomHouse is a real ransomware group or not; the group buys already leaked data, partners with data leak sites, and then extorts companies for money," VMware said in its report. 

Comparing the ransom notes between the two groups the researchers found a 99% match in linguistics. The language of both the groups' leak sites was also identical. 

"The verbiage is copied word for word from RansomHouse's welcome page to 8Base's welcome page," VMware said.  

The only two major difference between the groups was that RansomHouse advertises its partnerships and is openly recruiting for partnerships, whereas 8Base does not. 

"Given the similarity between the two, we were presented with the question of whether 8Base may be an off-shoot of RansomHouse or a copycat," VMware said, adding that RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn't have its own signature ransomware as a basis for comparison. "Interestingly, while researching 8Base we weren't able to find a single ransomware variant either," VMware said. 

Similarities with Phobos Ransomware

While searching for a sample of ransomware used by 8Base Ransom Group, researchers recovered Phobos sample using a ".8base" file extension on encrypted files. "A comparison of Phobos and the 8Base sample revealed that 8Base was using Phobos version 2.9.1 loaded with SmokeLoader," VMware said. 

Phobos ransomware is available as a ransomware-as-a-service. Other threat actors can customize parts to their needs as seen in the 8Base ransom note. 

"Although their ransom notes were similar, key differences included Jabber instructions and 'Phobos' in the top and bottom corners of the Phobos ransomware while 8Base has 'cartilage' in the top corner, a purple background, and no Jabber instructions," VMware said. 

VMware warns that 8Base is a highly active group and targets small businesses. "Given the nature of the beast that is 8Base, we can only speculate at this time that they are using several different types of ransomware -- either as earlier variants or as part of their normal operating procedures. What we do know is that this group is highly active and targets smaller businesses," VMware said.