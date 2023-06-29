A massive spike in ransomware activity in May and June 2023 has been attributed to a relatively unknown ransomware group called 8Base. \n\n\u201cAlthough the 8Base Ransom Group is not necessarily a new group, their spike in activity recently has not gone unnoticed. Even within the past 30 days, it is within the top 2 performing ransom groups,\u201d VMware said in a report. \u201cNot much was known publicly about the kind of ransomware used by 8Base other than the ransom note and that it appends encrypted files with the extension \u2018.8base\u2019.\u201d\n\nThe group utilizes encryption paired with \u201cname-and-shame\u201d techniques to compel its victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries, VMware said. \n\n8Base is a Ransomware group that has been active since March 2022. The group\u00a0describes itself as \u201csimple pen testers.\u201d Their leak site provides victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact the group.\u00a0\n\nThe group has been linked to 67 attacks as of May 2023, with about half of the victims operating in the business services, manufacturing, and construction sectors. A majority of the targeted companies are located in the US and Brazil, according to statistics gathered by Malwarebytes and NCC Group. \n\nSimilarities with RansomHouse\n\nWhile reviewing 8Base, the researchers noticed there were significant similarities between the 8Base group and another group called RansomHouse. \n\n\u201cIt is up for debate whether RansomHouse is a real ransomware group or not; the group buys already leaked data, partners with data leak sites, and then extorts companies for money,\u201d VMware said in its report. \n\nComparing the ransom notes between the two groups the researchers found a 99% match in linguistics. The language of both the groups\u2019 leak sites was also identical. \n\n\u201cThe verbiage is copied word for word from RansomHouse\u2019s welcome page to 8Base\u2019s welcome page,\u201d VMware said. \n\nThe only two major difference between the groups was that RansomHouse advertises its partnerships and is openly recruiting for partnerships, whereas 8Base does not. \n\n\u201cGiven the similarity between the two, we were presented with the question of whether 8Base may be an off-shoot of RansomHouse or a copycat,\u201d VMware said, adding that RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn\u2019t have its own signature ransomware as a basis for comparison. \u201cInterestingly, while researching 8Base we weren\u2019t able to find a single ransomware variant either,\u201d VMware said. \n\nSimilarities with Phobos Ransomware\n\nWhile searching for a sample of ransomware used by 8Base Ransom Group, researchers recovered Phobos sample using a \u201c.8base\u201d file extension on encrypted files. \u201cA comparison of Phobos and the 8Base sample revealed that 8Base was using Phobos version 2.9.1 loaded with SmokeLoader,\u201d VMware said. \n\nPhobos ransomware is available as a ransomware-as-a-service. Other threat actors can customize parts to their needs as seen in the 8Base ransom note. \n\n\u201cAlthough their ransom notes were similar, key differences included Jabber instructions and \u2019Phobos\u2019 in the top and bottom corners of the Phobos ransomware while 8Base has \u2019cartilage\u2019 in the top corner, a purple background, and no Jabber instructions,\u201d VMware said. \n\nVMware warns that 8Base is a highly active group and targets small businesses. \u201cGiven the nature of the beast that is 8Base, we can only speculate at this time that they are using several different types of ransomware \u2014 either as earlier variants or as part of their normal operating procedures. What we do know is that this group is highly active and targets smaller businesses,\u201d VMware said.