Get in Touch
8Base is a ransomware group that is reported to have originated from RansomHouse. It is focused on encryption of data and public shaming of organisations by conducting double-extortion ransomware campaigns and threatening to leak stolen data to coerce organisations into paying the ransom. The similarities that exist with RansomHouse mean that there is a realistic possibility that there could be a subsidiary connection.
The group has targeted a wide range of industries, including hospitality, law, healthcare, manufacturing, finance and information technology, with victims located in various countries such as Spain, Italy, the United States, Brazil, Canada, India, France, and the United Kingdom. Although the group has targeted a wide range of industries, the most targeted as of the time of writing has been business services with 17 attacks.
The 8Base ransomware group utilises the 8Base ransomware, SmokeLoader and Phobos. Further, the group operates within the context of the Ransomware-as-a-Service (RaaS) model.
The 8Base ransomware group has targeted a wide range of industry sectors, including hospitality, law, healthcare, manufacturing, finance, and information technology.
Threat Actor Motivations
The 8Base ransomware group has stated on their site that they are “simple pen testers” and focus on targeting organisations that are deemed to be lacking in security maturity as they have “considered their financial gain to be above the interest of their partners / individuals”.
The following table contains details regarding recent examples of significant 8Base ransomware operations:
- July 2023 Kansas Medical Center – Highly Likely Financial
- August 2023 Alberta Dental Service Corp – Highly Likely Financial
- August 2023 Oregon Sports Medicine – Highly Likely Financial
- 8Base Ransomware: It is likely that 8Base may be related to the Phobos ransomware group as they share code similarities and use similar file extensions. The malware has been active since at least May 2023. The ransomware strain is loaded via SmokeLoader and uses the ‘.8base’ file extension for encrypted documents.
- SmokeLoader: A notorious and highly configurable loader malware that has been active since 2011.Its main objective is to download or load stealthier and more effective malware onto infected systems. It is often distributed through phishing campaigns, malicious documents, and fake pirated software or crack sites. SmokeLoader has been observed delivering various malware families, including ransomware, such as Phobos and 8Base.
- Phobos Ransomware: This ransomware variant is able to encrypt a system without access to the internet as the
encryption key is hard-coded and uses persistence methods to continue encrypting files in AES-256 with RSA-1024 after the ransom note is created. The ransomware also disables OS processes, recovery mode and firewall.
Indicators of Compromise
8Base Ransomware Group Associated File Hashes (SHA-256):
8Base Ransomware Group Associated File Hashes (SHA -1):
8Base Ransomware Group Associated File Hashes (MD-5):
8Base Ransomware Group Associated Domains:
T1204 – User Execution
T1562.004– Disable or Modify System Firewall
T1005 – Data from Local System8
T1486 – Data Encrypted for Impact