8base

Threat Actor updated 4 months ago (2024-05-04T20:25:17.915Z)

Download STIX

Preview STIX

8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base operators were responsible for 15% of all recorded ransomware attacks, largely targeting the industrial sector using a double extortion technique that involves both stealing and encrypting victims' data. The group operates similarly to previous Phobos campaigns, utilizing the same format for the appended portion of their ransomware, which includes an ID section, an email address, and a file extension. The group, tracked as 8base, claimed the second-most active position behind LockBit 3.0, amassing a total of 67 victims. According to a report by NCC Group, the data used in the Threat Pulse is based on the date of victim discovery, not the date of initial publication or data breach. Despite this, May's numbers this year are still 56% higher than those in May 2022 and a slight 5% higher than April 2023, even when excluding the 8base attacks. Looking forward, the cybersecurity landscape in 2024 is expected to become more challenging with both old-guard groups and newcomers like Akira, Play, and 8base projected to play dominant roles. Specifically, 8base has already attacked 281 organizations, distinguishing itself as a data-extortion cybercrime group rather than solely a ransomware operation. Their modus operandi involves swiftly encrypting local drives and shares using AES256 in CBC mode. Interestingly, despite the severity of the 8base ransomware attack, targeted organizations' websites remain fully functional, showing no visible signs of abnormalities.

Description last updated: 2024-05-04T18:46:50.308Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Phobos	3	Phobos is a type of malware, specifically ransomware, that infiltrates computer systems with the intent to disrupt operations, steal personal information, or hold data hostage for ransom. The malicious software can infect devices through suspicious downloads, emails, or websites, often without the u

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Encryption

Malware

Data Leak

Extortion

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Smokeloader	Unspecified	3	Smokeloader is a malicious software (malware) that has been utilized by threat actors, specifically Phobos actors, to embed ransomware as a hidden payload. This malware, acting as a loader for other malware, infects systems through suspicious downloads, emails, or websites, often without the victim'
Conti, Lockbit	Unspecified	2	None
Lockbit	Unspecified	2	LockBit is a malicious software, or malware, that has been notably active and damaging in the cyber world. Known for its ability to infiltrate systems often without detection, it can steal personal information, disrupt operations, and even hold data hostage for ransom. In the first half of 2024, Loc

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Alphv	Unspecified	2	Alphv is a threat actor group known for its malicious activities in the cyber world. They have been particularly active in deploying ransomware attacks, with one of their most significant actions being the theft of 5TB of data from Morrison Community Hospital. This act not only disrupted hospital op

Source Document References

Information about the 8base Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	Ransomware attacks reach record high in 2023, Cyberint report reveals
CERT-EU	9 months ago	8BASE Ransomware Attack Hits American, Canadian Companies \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	10 months ago	Phobos Ransomware Is Now Deployed by the 8Base Group
Securityaffairs	10 months ago	8Base ransomware operators use a variant of Phobos ransomware
CERT-EU	10 months ago	8Base Group Deploying New Phobos Ransomware Variant via SmokeLoader
CERT-EU	a year ago	Who’s Behind the 8Base Ransomware Website?
CERT-EU	a year ago	Who’s Behind the 8Base Ransomware Website? – Krebs on Security \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Who’s Behind the 8Base Ransomware Website? – GIXtools
Krebs on Security	a year ago	Who’s Behind the 8Base Ransomware Website?
CERT-EU	a year ago	8base ransomware group significantly boosts activity level – Global Security Mag Online
CERT-EU	a year ago	Akira Ransomware, 8Base Ransomware, and more: Hacker’s Playbook Threat Coverage Round-up: August 22, 2023
CERT-EU	a year ago	Week in review: 5 free online cybersecurity courses, 8Base ransomware group leaks data \| IT Security News
CERT-EU	a year ago	8Base Ransomware: Researchers Raise Concerns Over its Increased Activities \| IT Security News
CERT-EU	a year ago	The Good, the Bad and the Ugly in Cybersecurity - Week 26 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	8Base Ransomware Group Emerges as Major Threat
CERT-EU	a year ago	Heavy-Hitting 8Base Ransomware Attacking Industries in Various Sectors
CERT-EU	a year ago	Introducing 8Base, the new, highly active ransomware kid on the block \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
BankInfoSecurity	a year ago	New Ransomware Actor 8Base Rivals LockBit in Extortion
CERT-EU	a year ago	8Base Ransomware Attacks Show Spike in Activity \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	New ransomware group starts to wreak havoc \| #ransomware \| #cybercrime \| National Cyber Security Consulting