Ransomware attacks from the 8Base group claimed the second largest number of victims over the past 30 days, says VMware.
A ransomware group that likes to shame organizations into paying the ransom has shown a surge in activity, according to a Wednesday blog post from VMware. Known as 8Base, the group has been active since March 2022 but has recently captured the second-highest number of victims among known ransomware gangs.
Jump to:
Analyzing ransomware attacks in June 2023, VMware found 8Base hit almost 80 victims over the past 30 days (Figure A), second only to the LockBit 3 gang, which compromised almost 100 organizations. Other ransomware groups with heavy activity over this period included ALPHV (BlackCat) with almost 40 victims, BianLian with more than 30 victims and Nokoyawa with more than 25 victims.
Figure A
Targeting sectors like business services, finance, manufacturing and IT, 8Base is known for using “name-and-shame” double-extortion tactics in which the group threatens to publish the encrypted files unless the ransom is paid. The idea is to embarrass the victim by exposing private or confidential information that could damage their brand or reputation.
Despite the surge in ransomware attacks staged by 8Base, details about the group’s identity, methods and motivations largely remain a mystery, according to VMware. However, based on its leak site and public accounts, along with the group’s communications, its verbal style is quite similar to that of RansomHouse, a group that typically purchases already compromised data or works with data leak sites to extort victims.
Analyzing ransom notes from both 8Base and RansomHouse, VMware discovered a 99% match in the verbiage. 8Base’s welcome page, Terms of Service page and FAQ page are all directly copied word for word from RansomHouse. One difference in the communications is that RansomHouse openly seeks out other criminal groups for partnerships, while 8Base does not.
Another common thread between the two groups lies in the choice of ransomware. Both 8Base and RansomHouse use a variety of different ransomware strains, including a variant known as Phobos. Ultimately, the similarities trigger questions about whether 8Base is simply an offshoot of RansomHouse.
“Given the nature of the beast that is 8Base, we can only speculate at this time that they are using several different types of ransomware either as earlier variants or as part of their normal operating procedures,” VMware said in its blog post. “What we do know is that this group is highly active and targets smaller businesses.”
On its leak site, 8Base describes itself as “simple pen testers.” The site offers instructions to victims with sections for Frequently Asked Questions and Rules, along with multiple ways to contact the group. 8Base also has an official channel on the messaging service Telegram and an account on Twitter (Figure B).
Figure B
“From a ransomware detection perspective, the goal is to help organizations detect ransomware early, minimize the damage caused by an attack and recover from the attack as quickly as possible,” according to VMware’s Threat Analysis Unit.
Toward that end, an effective ransomware detection and recovery strategy includes the following three components: