A relatively quiet ransomware group known as 8base has made a major push in the last few weeks, hitting organizations in a number of different industries, yet researchers are still unsure about whether the group is a distinct entity or possibly a splinter faction from an existing group.
8base has been active for more than a year and the group’s activities have been relatively low volume until this month, when activity spiked significantly. For most of the last year, the group has claimed between five and 10 victims per month, but in June 8base has claimed 30 victims so far. Like many other ransomware groups, 8base operates a leak site and a Telegram channel to publish data about new victims. Researchers at VMware’s Carbon Black TAU group have analyzed the operations of 8base and found that some of its tools and techniques are quite similar to those used by a group known as RansomHouse.
“While reviewing 8Base, we noticed there were significant similarities between this group and another group - RansomHouse. It is up for debate on whether RansomHouse is a real ransomware group or not; the group buys already leaked data, partners with data leak sites, and then extorts companies for money,” the researchers said. “The first thing we compared was the ransom notes between the two groups and found a 99% match in the linguistics.Diving deeper, we did a side-by-side comparison of their respective leak sites. Again, we found the language of the two being nearly identical.”
Though 8base and RansomHouse have some serious similarities, they also have some differences, most notably the fact that RansomHouse actively recruits partners and 8base doesn’t. The two groups also have different leak sites and neither one uses its own ransomware variant. Instead, they seem to use whatever is convenient.
“When searching for a sample of ransomware used by 8Base Ransom Group, a Phobos sample using a “.8base” file extension on encrypted files was recovered. Could this be an earlier iteration of the ransomware they would use, or is 8Base using varieties of ransomware to target their victims? Comparison of Phobos and the 8Base sample revealed that 8Base was using Phobos version 2.9.1 loaded with SmokeLoader. With Phobos ransomware being available as a ransomware-as-a-service (RAAS), this is not a surprise. Actors are able to customize parts to their needs as seen in the 8Base ransom note,” the VMware researchers said.
The entire point of a RaaS model is that affiliates can purchase licenses for various ransomware strains and use them as they see fit once they get access to a target network. Many associates deploy multiple ransomware variants in their operations, so this behavior is not unusual. The 8base group does add some custom touches, such as appending the .8base extension to encrypted files. But that’s stage dressing.
“Given the nature of the beast that is 8Base, we can only speculate at this time that they are using several different types of ransomware - either as earlier variants or as part of their normal operating procedures. What we do know is that this group is highly active and targets smaller businesses,” the VMware researchers said.
RaaS affiliates are opportunistic and will use whatever ransomware variants suits their needs, so enterprises should be alert for 8base and other groups.