8Base on a Ransomware Rampage

In just one month, the ransomware group known as 8Base emerged as the second most active ransomware group, according to a report by VMware. Primarily targeting small businesses, 8Base employs double extortion tactics by publicly naming and shaming victims of all sizes to pressure them into paying the ransom. So far, the group has doxxed around 30 organizations just this month.

During their analysis of 8Base’s operations, VMware noticed similarities with another lesser-known ransomware group called RansomHouse, which specializes in purchasing leaked data and extorting money from companies. Communication style and ransom notes were found to be similar between the two groups, although their visual presentations differed. The key distinction is that while RansomHouse actively recruits partners, 8Base does not.

VMware researchers raised the possibility of 8Base being an offshoot or copycat of RansomHouse. However, since RansomHouse utilizes various ransomware types available on dark markets without having its own signature ransomware, a direct comparison is challenging. Like RansomHouse, 8Base seems to employ multiple ransomware variants, with the Phobos family being common to both. Notably, 8Base uses ransom notes that bear a resemblance to those of both RansomHouse and Phobos.

Phobos operates under the ransomware-as-a-service (RaaS) model, and it is believed that 8Base may have adopted this approach, customizing the malware to add the ‘.8base’ extension to encrypted files. VMware provides indicators of compromise associated with 8Base’s activities, suggesting that the group may employ different ransomware types as part of their operations.

The relationship between 8Base, Phobos, and RansomHouse remains unclear, and further investigation is required to determine their connections. However, the striking similarities between 8Base and RansomHouse, combined with their shared use of Phobos ransomware, are noteworthy. As of now, 8Base remains a prominent ransomware group and continues to be active as we write this article.

Skip to content