In the ever-changing cybersecurity arena, 8Base ransomware is emerging as a formidable threat. Active since 2022, this group saw a peak in activity in 2023, placing itself alongside such notorious names as Cl0p and Lockbit. 8Base has evolved rapidly, distinguishing itself by its targeted attacks and skilful exploitation of digital vulnerabilities. But what makes 8Base unique in the world of cyberthreats? This group uses advanced encryption techniques and data exfiltration strategies, placing organizations under immense pressure to pay cryptocurrency ransoms. As ransomware attacks become increasingly sophisticated, understanding groups like 8Base is crucial to strengthening our defenses and protecting our digital assets.
Background and emergence of 8Base
The emergence and impact of 8Base ransomware is significant in the cybersecurity landscape. First appearing in 2022, 8Base rapidly gained notoriety in 2023, adopting a multi-extortion model including a TOR-based victim site. Although bearing superficial similarities to other ransomware families such as Phobos, RansomHouse and Hive, 8Base stands out for its targeted attack methods, aimed at a variety of industries including finance, manufacturing, information technology and healthcare. Unlike other ransomware groups, 8Base has opted for a more discreet approach, primarily targeting small and medium-sized enterprises (SMEs) in a variety of sectors. The majority of its victims are in the USA (36%), Brazil (15%) and the UK (10%). However, as our November and December 2023 reports show, 8Base has been particularly active in France, ranking among the dominant ransomware threats alongside LockBit 3.0.
Since its appearance, 8Base has distinguished itself by its double extortion tactics, threatening to publish encrypted files if the ransom is not paid, a strategy that has rapidly increased its notoriety in the cyberthreat world. This approach adds further pressure on victims.Faced with this rise in power, responses from authorities and cybersecurity experts have intensified, seeking to counter 8Base’s growing influence in the cyberthreat arena. In May 2023, 8Base published data from 67 victims, underlining its rapid rise and significant impact in the ransomware landscape.
Vulnerability of SMEs to 8Base
The 8Base ransomware group distinguishes itself by specifically targeting small and medium-sized organizations, less likely to have robust security measures in place. “In general, small and medium-sized organizations find it harder to allocate security budgets and suffer from cybersecurity shortages, which is a dangerous cocktail when a ransomware group like 8Base targets them,” says Anish Bogati, security research engineer at Logpoint. “Small and medium-sized organizations, in particular, should familiarize themselves with 8Base and, more importantly, strengthen their security measures to defend against it. Understanding the adversary is the key to developing better defense strategies.” This focus on SMEs underlines the importance of these organizations taking proactive steps to improve their cybersecurity and guard against ransomware attacks. For more detailed information, please find the link to Logpoint’s full report at the end of this article.
The activity of the 8Base ransomware group since May 2023, places them among the five most active groups, as shown by the ransomware.live statistics highlighted by Logpoint in this diagram.
8Base ransomware attack tactics and methods
Active since April 2022, 8Base has rapidly gained notoriety thanks to its aggressive tactics and the significant number of victims it has claimed. The group uses advanced social engineering techniques to infiltrate victims’ networks. Targeted phishing attacks and exploit kits are their main entry vectors, often exploiting unpatched vulnerabilities in commonly used software.
Name and shame” strategy employed by 8Base
A distinctive feature of 8Base’s operations is their use of “name and shame” tactics. This method involves publicly publishing the names of victims who fail to comply with ransom demands, thereby increasing the pressure and urgency for targeted companies to respond. By revealing the names of affected organizations on their TOR-based site and other platforms, 8Base seeks not only to embarrass victims, but also to pressure them into paying the ransom to avoid reputational damage. This double extortion strategy, combining data encryption with the threat of public disclosure, has proven effective for 8Base, increasing their notoriety and success in ransomware extraction.
Comparison with RansomHouse
According to a WMware study, 8Base’s operations show striking similarities to those of RansomHouse, raising questions about their nature: are they separate groups or coordinated data exfiltration operations? Security analyses revealed an almost perfect match (99%) between 8Base and RansomHouse ransom notes, as well as a similarity in the language used on their sites, notably in the home sections, terms of use and FAQs.
Use of Phobos ransomware
It’s not clear whether 8Base is an extension of RansomHouse or a simple imitator. RansomHouse uses various ransomwares available on the black market, and a sample associated with 8Base corresponds to version 2.9.1 of Phobos, a ransomware available as a service (RaaS). In addition, 8Base uses a customized version of the Phobos ransomware, distributed mainly via SmokeLoader, a backdoor Trojan. This method enables 8Base to integrate the ransomware component into its encrypted payloads, which are then decrypted and executed in the memory of the SmokeLoader process , as described in detail in the Cisco Talos article dedicated to it. Once inside the victim’s network, 8Base Phobos ransomware immediately encrypts data, affecting all local drives and network share volumes. This fast, stealthy attack method makes 8Base particularly dangerous, capable of causing widespread damage before victims detect the intrusion.
While initial access methods vary, the use of initial access brokers (IABs) has been observed. Once inside the victim’s network, 8Base quickly and efficiently encrypts data using a sophisticated encryption algorithm, including AES256 in CBC mode, to lock files. This encryption method renders data inaccessible without the unique key provided by the attackers after payment of the ransom. Encrypted files receive the “.8base” extension, sometimes accompanied by the victim’s ID and the attacker’s e-mail address. 8Base has demonstrated its ability to bypass traditional security measures, using techniques such as disabling antivirus solutions, deleting volume shadow copies (VSS) to prevent data recovery, and modifying local firewall rules to prevent data recovery and remain undetected for as long as possible. They also use full encryption for files under 1.5 MB and partial encryption for larger files. The 8Base artifact incorporates a configuration with over 70 encrypted options, offering additional features such as bypassing user account control (UAC) and reporting a victim’s infection to an external URL.
8base ransomware communication and PR strategies
The 8Base TOR site operates in a professional manner, with sections for victim announcements, FAQs and rules, as well as means of contact. The group also maintains an official channel on Telegram and had an X(Twitter) account, demonstrating sophisticated communication and PR strategies.
Detection and prevention
In terms of detection, it is necessary to use security tools capable of detecting and blocking known ransomware variants. Monitoring network traffic for indicators of compromise, as well as regular security audits, are also essential to identify vulnerabilities and ensure that security controls are working properly.
The ToyotaLift Northeast attack claimed by 8Base: a case study in cybersecurity
As part of its aggressive tactics, 8Base recently targeted ToyotaLift Northeast, an authorized Toyota forklift dealer. According to The Cyber Express the group claimed to have data from ToyotaLift Northeast’s website, publicly announcing the failure of negotiations and the deadline for payment of the ransom. Although the attack on ToyotaLift Northeast has not been confirmed by the company, 8Base has claimed possession of the company’s sensitive data, including personal correspondence and financial information. This attack illustrates 8Base’s method of targeting specific companies, negotiating ransoms and threatening to disclose sensitive data if their demands are not met, a tactic known as “double extortion”.
Defense strategies against 8Base ransomware
As with all other ransomware, to effectively counter the 8Base ransomware, a multi-layered approach is essential. Companies need to adopt technical and operational measures to detect and mitigate attacks. Here are some key strategies:
- Use of anti-malware software: Security tools capable of detecting and blocking known ransomware variants are essential. These tools can use signatures, heuristics or machine learning algorithms to identify and block suspicious files or activities.
- Network traffic monitoring: It is crucial to monitor network traffic for indicators of compromise, such as unusual traffic patterns or communications with known command and control servers.
- Regular security audits: Security audits and assessments help identify network and system vulnerabilities, and ensure that all security controls are in place and operating correctly. This includes network scans to detect security vulnerabilities, assessments of current security policies and penetration tests to simulate attacks and identify weak points.
- Employee training and awareness: Educate employees on cybersecurity best practices, including identifying and reporting suspicious e-mails or other threats. Regular training sessions and attack simulations can help maintain a culture of security within the organization.
- Robust backup and recovery plan: Implement a backup and recovery plan to ensure that the organization has a copy of its data and can restore it in the event of an attack.
In addition, enabling multi-factor authentication, using strong, unique passwords, regularly updating and patching systems, and disabling unnecessary or unused services or protocols are further measures to strengthen security against ransomware attacks like 8Base.
The emergence of 8Base in the ransomware ecosystem underlines an inescapable reality: cybersecurity is not an option, but a necessity. Faced with increasingly innovative adversaries, organizations must adopt a proactive posture, combining vigilance and preparation. An in-depth understanding of the methods employed by entities such as 8Base is not just a preventive measure, but a strategic investment in a company’s long-term future. In this context, building robust defenses and ongoing awareness become fundamental pillars for confidently navigating an ever-changing digital landscape.
To find out more: more detailed information on 8Base
For those wishing to deepen their understanding of 8Base, a detailed article on Krebs on Security offers a fascinating perspective. The article reveals that 8Base’s “victim shaming” site, operating on the darknet, has accidentally leaked sensitive information. The leaks suggest that the site’s code was written by a 36-year-old programmer living in Chisinau, Moldova. The 8Base site, accessible only via Tor, lists hundreds of victim organizations, claiming that they have refused to pay a ransom to prevent the publication of their stolen data. The article offers a detailed look at how 8Base operates and manages its communications with victims, as well as clues to the identity of the people behind this ransomware group .
Logpoint report on 8Base: To deepen our understanding of 8Base, Logpoint’s report offers a detailed analysis of this ransomware group. It highlights the tactics, techniques and procedures (TTPs) used by 8Base, as well as recommendations for strengthening defense against their attacks.
