Cybercrime , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

New Ransomware Actor 8Base Rivals LockBit in Extortion

Group Has Listed Nearly 40 Victims on Its Dark Web Leak Site So Far This Month
New Ransomware Actor 8Base Rivals LockBit in Extortion
Image: 8Base

The new ransomware group 8Base is fast becoming a big player in the underground market, amassing nearly 40 victims in June - second only to the notorious LockBit ransomware gang.

See Also: Live Webinar | Adversary Analysis of Ransomware Trends

The group has hit nearly 80 organizations since March 2022 and uses the double-extortion tactics of encryption and "name and shame," according to a new report from VMware.

8Base was responsible for 15% of the attacks in May, as the group began releasing data from victims breached between April 2022 and May 2023, said a report the NCC Group released last week. Ransomware attacks soared in May, hitting 436 victims. Lockbit 3.0 remained the most active threat actor in 2023 and was responsible for 78 known victims and 18% of all incidents tracked in May.

The majority of 8Base targets are in the industrial sector, the NCC Group said. VMware said business services, finance, manufacturing and IT industries are also targets. The group so far has listed 38 victims in June. It uses a data leak site, a Twitter account and a Telegram channel to publicize its victims' names.

The 8Base group's activity is similar to the less-active RansomHouse ransomware gang, which buys leaked data, partners with data leak sites and then extorts companies for money.

The language on the leak sites, the ransom note and the terms of service and FAQ pages of the two ransomware groups are eerily similar, VMware said. The two major differences between the groups are the graphical user interface and the fact that RansomHouse is openly recruiting partners and 8Base is not.

Both groups also use multiple ransomware variants in their campaigns - the Phobos family variants. Phobos operates as ransomware as a service, and 8Base possibly adopted it, adding customizations such as appending the encrypted files with the victim's ID, support@rexsdata.pro email address, and an ".8base" extension. 8Base was observed using Phobos version 2.9.1 and is loaded using SmokeLoader, VMware said.

"Given the similarity between the two, we were presented with the question of whether 8Base may be an offshoot of RansomHouse or a copycat. Unfortunately, RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn't have its own signature ransomware as a basis for comparison," VMware said.

Malware research site vx-underground compared 8Base's output to the "Big 3" - the Conti, LockBit and Alphv ransomware groups. It defines these as the "largest and most prolific ransomware groups" of recent times and considers 8Base to be an internal group or sub-clique of the LockBit ransomware group that decided to form its own group. Vx-underground predicts that "in the coming months they will become a big player in the ransomware scene."


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.