8base

Threat Actor updated 7 months ago (2024-05-04T20:25:17.915Z)

Download STIX

Preview STIX

8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base operators were responsible for 15% of all recorded ransomware attacks, largely targeting the industrial sector using a double extortion technique that involves both stealing and encrypting victims' data. The group operates similarly to previous Phobos campaigns, utilizing the same format for the appended portion of their ransomware, which includes an ID section, an email address, and a file extension. The group, tracked as 8base, claimed the second-most active position behind LockBit 3.0, amassing a total of 67 victims. According to a report by NCC Group, the data used in the Threat Pulse is based on the date of victim discovery, not the date of initial publication or data breach. Despite this, May's numbers this year are still 56% higher than those in May 2022 and a slight 5% higher than April 2023, even when excluding the 8base attacks. Looking forward, the cybersecurity landscape in 2024 is expected to become more challenging with both old-guard groups and newcomers like Akira, Play, and 8base projected to play dominant roles. Specifically, 8base has already attacked 281 organizations, distinguishing itself as a data-extortion cybercrime group rather than solely a ransomware operation. Their modus operandi involves swiftly encrypting local drives and shares using AES256 in CBC mode. Interestingly, despite the severity of the 8base ransomware attack, targeted organizations' websites remain fully functional, showing no visible signs of abnormalities.

Description last updated: 2024-05-04T18:46:50.308Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Phobos is a possible alias for 8base. Phobos is a form of malware, specifically ransomware, that has been active since May 2019. The operation utilizes a ransomware-as-a-service (RaaS) model and is responsible for numerous cyber attacks worldwide. Threat actors behind Phobos gained initial access to vulnerable networks through phishing	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Encryption

Malware

Data Leak

Extortion

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Smokeloader Malware is associated with 8base. SmokeLoader is a malicious software (malware) that acts as a loader for other malware, injecting malicious code into the currently running explorer process and downloading additional payloads to the system. It has been used in conjunction with Phobos ransomware by threat actors who exploit its funct	Unspecified	3
The malware Conti, Lockbit is associated with 8base.	Unspecified	2
The Lockbit Malware is associated with 8base. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with 8base. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB	Unspecified	2

Source Document References

Information about the 8base Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	10 months ago	Ransomware attacks reach record high in 2023, Cyberint report reveals
CERT-EU	a year ago	8BASE Ransomware Attack Hits American, Canadian Companies \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Phobos Ransomware Is Now Deployed by the 8Base Group
Securityaffairs	a year ago	8Base ransomware operators use a variant of Phobos ransomware
CERT-EU	a year ago	8Base Group Deploying New Phobos Ransomware Variant via SmokeLoader
CERT-EU	a year ago	Who’s Behind the 8Base Ransomware Website?
CERT-EU	a year ago	Who’s Behind the 8Base Ransomware Website? – Krebs on Security \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Who’s Behind the 8Base Ransomware Website? – GIXtools
Krebs on Security	a year ago	Who’s Behind the 8Base Ransomware Website?
CERT-EU	a year ago	8base ransomware group significantly boosts activity level – Global Security Mag Online
CERT-EU	a year ago	Akira Ransomware, 8Base Ransomware, and more: Hacker’s Playbook Threat Coverage Round-up: August 22, 2023
CERT-EU	a year ago	Week in review: 5 free online cybersecurity courses, 8Base ransomware group leaks data \| IT Security News
CERT-EU	a year ago	8Base Ransomware: Researchers Raise Concerns Over its Increased Activities \| IT Security News
CERT-EU	a year ago	The Good, the Bad and the Ugly in Cybersecurity - Week 26 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	8Base Ransomware Group Emerges as Major Threat
CERT-EU	a year ago	Heavy-Hitting 8Base Ransomware Attacking Industries in Various Sectors
CERT-EU	a year ago	Introducing 8Base, the new, highly active ransomware kid on the block \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
BankInfoSecurity	a year ago	New Ransomware Actor 8Base Rivals LockBit in Extortion
CERT-EU	a year ago	8Base Ransomware Attacks Show Spike in Activity \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	New ransomware group starts to wreak havoc \| #ransomware \| #cybercrime \| National Cyber Security Consulting