New threat Intelligence: 8Base Ransomware gang ’teaching SMBs a lesson’ - Trend Micro
April 2024 by Trend Micro
Trend Micro is releasing new threat research into 8Base, an active ransomware group that has been targeting SMBs to ‘teach them a lesson’. Europe is the second-most attacked region.
First detected in March 2022, 8Base positions itself as just “simple penetration testers” to justify its double-extortion strategy, which involves encrypting data and threatening to expose sensitive information.
The group have adopted a name-and-shame tactic, claiming that it only targets organisations that have “neglected the privacy and importance of the data of their employees and customers”. So, they’re essentially saying they’re ‘teaching them a lesson’ while gaining profit.
You can find more information in the advisory here (and in copy) and an infographic here, but some key points to call out that Trend Micro Threat Intelligence has detected:
• There were 224 attack attempts by 8Base in 2023 – peaking March
• While it made headlines for targeting US health organisations, the manufacturing industry was its biggest target
• 8Base is targeting small businesses (230 vs 55 medium-sized and 12 large-sized)
• They focused their efforts on North American (139) and European (109) companies – the UK was in the top five most targeted countries
• The 8Base ransomware primarily uses phishing scams for initial access
An example of an 8Base attack on a UK company is Delaney Browne Recruitment last August. It also claimed responsibility for the data security incident at the United Nations Development Programme (UNDP) in March.
Lewis Duke, SecOps Risk & Threat Intelligence Lead, Trend Micro also offered the following comment:
“Further to profiting from its ransomware attacks, the relatively new 8Base ransomware gang has been quite vocal in that it wants to teach a lesson to those organisations that have “neglected the privacy and importance of the data of their employees and customers”. And unfortunately, this has resulted in a significant number of small businesses being targeted by this group, particularly in the manufacturing sector.
“Our research also reinforces the threat posed by phishing attacks as a primary infection vector, and highlights the use of common tooling across various ransomware groups. This emphasises the importance of implementing robust security practices and leveraging Indicators of Compromise (IOCs). By prioritising these measures, organisations can significantly bolster their defences against not only 8Base, but a wider range of threats.”
8Base Ransomware Spotlight
Despite positioning themselves as penetration testers, 8Base ransomware threat actors profit off their victims that are significantly comprised of small businesses. In this feature, we investigate how the gang operates to gain insights on how organizations can protect systems better from compromises that could result in financial loss.
First detected in March 2022, 8Base is an active ransomware group that positions itself as “simple penetration testers” to justify its double-extortion strategy, which involves encrypting data and threatening to expose sensitive information. The gang adopts a name-and-shame tactic, claiming in its leak site to exclusively target organizations that “have neglected the privacy and importance of the data of their employees and customers” and revealing confidential data to potentially cause harm to its victim’s brand and reputation.
What organizations need to know about 8Base ransomware
Despite branding itself as “pen testers,” the 8Base gang is financially motivated. In October 2023, it targeted healthcare and public health sector organizations in the United States, prompting the Health Sector Cybersecurity Coordination Center (HC3) to publish an analyst note about the group.
8Base also drew attention for its similarities with the RansomHouse ransomware with regard to ransom notes and copies it used in its leak sites. The 8Base ransomware also makes use of the Phobos ransomware version 2.9.1, which uses SmokeLoader for initial obfuscation for ingress, unpacking, and loading of the payload.
The 8Base ransomware primarily gains initial access through phishing emails, but samples of the ransomware have been observed as having been downloaded from domains that appear to be associated with SystemBC, a proxy and remote administration tool (RAT). 8Base was also found to be using a batch file named defoff.bat (detected as KILLAV) to disable components of Windows Defender and to allowlist the malware path through Windows Management Instrumentation command-line (WMIC).
In September 2023, an 8Base leak site duplicate was discovered on the darknet, reportedly associated with a group known as CryptBB; however, 8Base denied the association and asserted that the duplicate site was an imitation. In the same month, the 8Base group unintentionally leaked some information about its leak website, linking the website to a private GitLab server called Jcube-group.
Top affected countries and industries according to Trend Micro threat intelligence data
Based on Trend threat intelligence data, there were 224 attack attempts by 8Base in 2023, with the gang’s criminal activity against Trend customers peaking in March.
Organizations in the manufacturing industry were targeted the most by 8Base ransomware, while companies in the technology industry were also largely targeted. Beyond the top five industries specified in Figure 2, organizations in healthcare, oil and gas industries, and the government were also targeted by 8Base. It should be noted that the data in Figure 2 covers Trend Micro customers who have chosen to provide information on the industry they belong to.
Meanwhile, Trend threat intelligence showed that the 8Base ransomware targeted America the most with 71 infected machine detections from January 2023 to March 2024 data. Curiously, threat actors behind the ransomware also targeted the small western European country of the Netherlands with 35 detections. Vietnam, Israel, and the United Kingdom were also in the gang’s top targeted countries.
Targeted regions and industries according to 8Base ransomware’s leak site
This section looks at data based on attacks recorded on the leak site of the 8Base ransomware from May 2023 to March 2024.
Based on a combination of our open-source intelligence (OSINT) research and an investigation of the leak site, the 8Base ransomware gang targeted organizations in North America the most, while also spending significant time on European corporations.
Figure 4. The distribution by region of 8Base ransomware’s victim organizations
Source: 8Base ransomware’s leak site data and Trend Micro’s OSINT research (May 2023 – March 2024)
A closer look shows that the gang’s efforts were significantly focused on American organizations, but it also targeted Brazilian institutions as well as those from the United Kingdom, France, Canada, and Australia. Interestingly, 8Base ransomware also targeted smaller countries such as Costa Rica, Croatia, and the Bahamas.
Threat actors behind 8Base ransomware targeted a wide range of sectors including real estate businesses, legal services companies, and hospitality-related establishments. However, they focused their efforts the most on businesses in the manufacturing and finance sectors.
The 8Base ransomware targeted small business the most, despite or perhaps because the gang positioned themselves as pen testers; penetration testing usually aims to identify weak spots in a system’s defenses that can be taken advantage of by attackers. It could be assumed that instead of big corporations, the gang targeted small business to teach them a “lesson” while also gaining profit.