Share this article on:
While LockBit 3.0 may still be the leading ransomware group at the moment in terms of victims, a new group has surged ahead in June to take second place.
However 8Base, the new kid apparently sticking it to the old-timers, could well be a mature, skilled group only now making its presence known.
8Base has been active since at least March 2023 (though its Twitter account dates back to September 2014), though it’s not been particularly busy. Since March, it has claimed roughly between five and 10 victims each month, but that rocketed to 30 victims in June.
The group announces its successful attacks on both its leak site, on Telegram, and on Twitter. For instance, its most recent victim is the International Society for Pharmaceutical Engineering. 8Base claims it exfiltrated invoices and receipts, personal documents, databases, emails, and a raft of personal data.
“We attacked @ISPEorg on June 28,” the group said on Twitter on 29 June. “We have received numerous data related to the main activities of the company. Date of publication 03.07.23.”
8Base has so far focused its operation on business service companies and the financial sector, but it appears more than happy to take advantage of any target of opportunity.
Like other ransomware operators, 8Base considers its members to be “simple pen testers”, and their site comes complete with terms of service and even an FAQ. However, the text of those pages is identical to that of another group — RansomHouse.
Even its ransom notes are nearly identical, leading some observers to wonder if 8Base is an offshoot of RansomHouse, or possibly a copycat operator.
The only difference is that RansomHouse is openly on the lookout for partnerships, while 8Base seems content to operate as a solo entity. Their leak sites are also quite different.
“Given the similarity between the two, we were presented with the question of whether 8Base may be an offshoot of RansomHouse or a copycat,” researchers at VMware said in a blog post. “Unfortunately, RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn’t have its own signature ransomware as a basis for comparison.”
“Interestingly, while researching 8Base, we weren’t able to find a single ransomware variant either. We stumbled across two very different ransom notes — one that matched RansomHouse’s and one that matched Phobos’. It begged the question if 8Base, similar to RansomHouse, operates by using different ransomware as well, and if so, is 8Base just an offshoot of RansomHouse?”
What we do know about the group is it uses multiple types of ransomware, it is currently very active, and it is focusing its attention on smaller businesses.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.