8Base Ransomware Dissection
Share this:
Researchers has spotted a massive spike in ransomware activity in May and June 2023 and attributed to a new ransomware group called 8Base.
Active since March 2022. The group describes itself as “simple pen testers”. Their leak site provides victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact the group.
8Base Ransom Group is not necessarily a new group, their spike in activity recently has not gone unnoticed. It’s a one of the top 2 performing ransom groups. No many details available currently other than the ransom note and that it appends encrypted files with the extension ‘.8base’.”
The group utilizes encryption paired with “name-and-shame” techniques to compel its victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries.
The group is a mastermind behind 67 attacks as of May 2023, with about half of the victims operating in the business services, manufacturing, and construction sectors. Most of the targeted companies are in the US and Brazil.
The researchers also noticed there were significant similarities between the 8Base group, and another group called RansomHouse. The only two major differences between the groups were that RansomHouse advertises its partnerships and is openly recruiting for partnerships, whereas 8Base does not.
While searching for a sample of ransomware used by 8Base Ransom Group, researchers recovered Phobos sample using a “.8base” file extension on encrypted files. Phobos ransomware is available as a ransomware-as-a-service. Other threat actors can customize parts to their needs as seen in the 8Base ransom note.
Researchers warns that 8Base is a highly active group and targets small businesses. The nature of the 8Base, can only speculate at this time that they are using several different types of ransomwares either as earlier variants or as part of their normal operating procedures.
This research was documented by researchers from VMware
Indicators of Compromise
- 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
- 5BA74A5693F4810A8EB9B9EEB1D69D943CF5BBC46F319A32802C23C7654194B0
- 20110FF550A2290C5992A5BB6BB44056
- 3D2B088A397E9C7E9AD130E178F885FEEBD9688B
- e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
- 5d0f447f4ccc89d7d79c0565372195240cdfa25f
- 9769c181ecef69544bbb2f974b8c0e10
- C6BD5B8E14551EB899BBE4DECB6942581D28B2A42B159146BBC28316E6E14A64
- 518544E56E8CCEE401FFA1B0A01A10CE23E49EC21EC441C6C7C3951B01C1B19C
- AFDDEC37CDC1D196A1136E2252E925C0DCFE587963069D78775E0F174AE9CFE3
- wlaexfpxrs[.]org
- admhexlogs25[.]xyz
- admlogs25[.]xyz
- admlog2[.]xyz
- dnm777[.]xyz
- serverlogs37[.]xyz
- 9f1a.exe
- d6ff.exe
- 3c1e.exe
- dexblog[.]xyz
- blogstat355[.]xyz
- blogstatserv25[.]xyz
