8Base: A New Ransomware Threat in Cyberspace
The attackers call themselves “honest pentesters” and believe that the prices for their “services” are very loyal.
In June of this year, a new wave of cyber attacks organized by the criminal group 8Base swept the world. Hackers use a double extortion method: they infect victims’ computers with a ransomware virus that blocks access to data, and then demand a ransom for their restoration. If the victim refuses to pay, the hackers threaten to publish the stolen information on their dark web leak site.
The 8Base group appeared in March 2022, but until June 2023 carried out few and insignificant attacks. However, this summer their activity increased dramatically, and they began to attack many companies in various industries. So far, 8Base has announced 35 victims on its site, sometimes announcing up to six new victims in a single day.
The hackers themselves call themselves “honest and simple pentesters” and offer companies “the most loyal conditions” for the return of their data.
RansomHouse is a ransomware group that claims not to carry out encryption attacks, but only cooperates with other ransomware operations to sell their data. VMware suspects that 8Base is a fork of RansomHouse. Such conclusions were drawn due to the same ransom notes used by both groups, as well as the very similar style and content of the text on the respective data breach sites, where even the FAQ pages appear to be copied.
Identical FAQ pages (RansomHouse on the left, 8Base on the right)
However, there is no reliable confirmation of the connection between 8Base and RansomHouse. It is not uncommon for cybercriminal gangs to simply copy ransom notes, software, methods, and tactics from other gangs so as not to waste time creating everything from scratch.
8Base attacks use a modified version of Phobos v2.9.1 ransomware, which is loaded via SmokeLoader. Phobos is a ransomware that targets Windowswhich first exploded in cyberspace in 2019, it also bears many similarities to the code of another ransomware, Dharma.
During the attack, the virus, launched by 8Base operators, adds the extension of the same name “.8base” to all encrypted files. Ransomware expert Michael Gillespie reported that the Phobos ransomware also used a similar “.eight” extension for encrypted files. In addition, both programs, Phobos and 8Base, use the same email address to contact the attackers – “helpermail@onionmail[.]org”, which also leads to some thoughts about the connection of these malicious operations.
Another notable finding by VMware analysts is that 8Base uses the “admlogs25[.]xyz” to host the payload that is associated with SystemBCa malware proxy used by several ransomware groups to obfuscate C2-infrastructure.
All of these findings by researchers show that 8Base operators have been carrying out encryption attacks for at least a year, but only recently gained attention after launching their data breach site and a surge in activity.
8Base is just beginning to get the attention of analysts, so many aspects of their technical nature remain unknown or unclear. The VMware report also contains indicators of compromise (IoC) that other cybersecurity professionals can use to protect their systems.