Connect with us

Hi, what are you looking for?



Dozens of Businesses Hit Recently by ‘8Base’ Ransomware Gang

The 8Base ransomware gang has hit roughly 30 small businesses over the past month, reaching a total of approximately 80 victims since March 2022.

A ransomware gang named 8Base was the second most active group in June 2023, claiming roughly 30 victims, VMware reports.

Active since March 2022 and mainly focused on small businesses, the group engages in double extortion tactics, publicly naming and shaming victims to compel them to pay the ransom.

To date, the 8Base gang has hit approximately 80 organizations across sectors such as automotive, business services, construction, finance, healthcare, hospitality, IT, manufacturing, and real estate.

While analyzing the group’s activity, VMware identified a resemblance with another relatively unknown ransomware gang, RansomHouse, which is known for purchasing leaked data and then extorting companies for money.

According to VMware, similarities were found in communication style and ransom note, with the leak sites of the groups using nearly identical language, albeit different visuals. The main difference between the two groups is the fact that, while RansomHouse is openly recruiting for partners, 8Base is not.

“Given the similarity between the two, we were presented with the question of whether 8Base may be an off-shoot of RansomHouse or a copycat. Unfortunately, RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn’t have its own signature ransomware as a basis for comparison,” VMware notes.

Like RansomHouse, VMware discovered, 8Base appears to be using multiple ransomware variants, with one family common to both, namely Phobos. In fact, 8Base was seen using ransom notes that match both RansomHouse and Phobos.

Advertisement. Scroll to continue reading.

Phobos operates under the ransomware-as-a-service (RaaS) business model, and 8Base might have adopted it this way, customizing the malware to append the ‘.8base’ extension to the encrypted files.

According to VMware, which provides indicators of compromise associated with the gang’s activity, it is possible that 8Base has used different types of ransomware as part of their normal operation.

“Whether 8Base is an offshoot of Phobos or RansomHouse remains to be seen. It is interesting that 8Base is nearly identical to RansomHouse and uses Phobos ransomware. At present, 8Base remains one of the top active ransomware groups this summer (2023),” VMware concludes.

Related: Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack

Related: Ransomware Gang Takes Credit for February Reddit Hack

Related: A Russian Ransomware Gang Breaches the Energy Department and Other Federal Agencies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


US payments giant NCR has confirmed being targeted in a ransomware attack for which the BlackCat/Alphv group has taken credit.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.