A ransomware gang named 8Base was the second most active group in June 2023, claiming roughly 30 victims, VMware reports.
Active since March 2022 and mainly focused on small businesses, the group engages in double extortion tactics, publicly naming and shaming victims to compel them to pay the ransom.
To date, the 8Base gang has hit approximately 80 organizations across sectors such as automotive, business services, construction, finance, healthcare, hospitality, IT, manufacturing, and real estate.
While analyzing the group’s activity, VMware identified a resemblance with another relatively unknown ransomware gang, RansomHouse, which is known for purchasing leaked data and then extorting companies for money.
According to VMware, similarities were found in communication style and ransom note, with the leak sites of the groups using nearly identical language, albeit different visuals. The main difference between the two groups is the fact that, while RansomHouse is openly recruiting for partners, 8Base is not.
“Given the similarity between the two, we were presented with the question of whether 8Base may be an off-shoot of RansomHouse or a copycat. Unfortunately, RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn’t have its own signature ransomware as a basis for comparison,” VMware notes.
Like RansomHouse, VMware discovered, 8Base appears to be using multiple ransomware variants, with one family common to both, namely Phobos. In fact, 8Base was seen using ransom notes that match both RansomHouse and Phobos.
Phobos operates under the ransomware-as-a-service (RaaS) business model, and 8Base might have adopted it this way, customizing the malware to append the ‘.8base’ extension to the encrypted files.
According to VMware, which provides indicators of compromise associated with the gang’s activity, it is possible that 8Base has used different types of ransomware as part of their normal operation.
“Whether 8Base is an offshoot of Phobos or RansomHouse remains to be seen. It is interesting that 8Base is nearly identical to RansomHouse and uses Phobos ransomware. At present, 8Base remains one of the top active ransomware groups this summer (2023),” VMware concludes.