With threat actor groups like Blackcat (ALPHV) taking the spotlight, other groups can fly under the radar doing their dastardly deeds. Such is the case with 8Base, a relatively unheard-of ransomware gang that is making waves as one of the most active ransomware groups this summer.
First cropping up in March of 2022, 8Base describes itself as “simple pen testers” targeting various industries. The group’s website is home to what surmounts to a bulletin board of organizations that have been ‘pwned’ as well as numerous contact methods in what is called the “name-and-shame” method to make victims pay the ransom the group demands.
Researchers at VMWare note, however, that this does not seem to be a brand-new group but a continuation of a “well-established mature organization.” Namely, the researchers draw remarkable similarities between 8Base and RansomHouse. We encountered RansomHouse back in 2022 when they claimed to have exfiltrated 450GB of data from AMD and were ransoming it. Like VMWare’s comparison, we took a screenshot of the group’s website, which you can see below, to compare it to 8Base’s site above.
Setting aside the similarities in descriptions, the two groups effectively have the same ransom notes, terms of service, and refrain from using any singular variant of malware. With this last point, though, the researchers potentially stumbled upon an earlier version of 8Base’s ransomware and ransom note that was actually Phobos ransomware with SmokeLoader under the hood. Of course, Phobos is sold as ransomware-as-a-service (RaaS) so seeing this earlier on in the group’s existence is not much of a surprise nor an indicator of the group’s affiliations.
Regardless of whether they are the same group, the ransomware market is still going strong even if it is not hitting mainstream media as regularly anymore. Given this, organizations cannot let their guard down, so as the Cybersecurity and Infrastructure Security Agency (CISA) says, shields up!