- Security News
- Ransomware Spotlight
- Ransomware Spotlight: 8Base
Based on Trend threat intelligence data, there were 224 attack attempts by 8Base in 2023, with the gang’s criminal activity against Trend customers peaking in March.
Organizations in the manufacturing industry were targeted the most by 8Base ransomware, while companies in the technology industry were also largely targeted. Beyond the top five industries specified in Figure 2, organizations in healthcare, oil and gas industries, and the government were also targeted by 8Base. It should be noted that the data in Figure 2 covers Trend Micro customers who have chosen to provide information on the industry they belong to.
Meanwhile, Trend threat intelligence showed that the 8Base ransomware targeted America the most with 71 infected machine detections from January 2023 to March 2024 data. Curiously, threat actors behind the ransomware also targeted the small western European country of the Netherlands with 35 detections. Vietnam, Israel, and the United Kingdom were also in the gang’s top targeted countries.
This section looks at data based on attacks recorded on the leak site of the 8Base ransomware from May 2023 to March 2024.
Based on a combination of our open-source intelligence (OSINT) research and an investigation of the leak site, the 8Base ransomware gang targeted organizations in North America the most, while also spending significant time on European corporations.
Figure 4. The distribution by region of 8Base ransomware’s victim organizations
Source: 8Base ransomware’s leak site data and Trend Micro’s OSINT research (May 2023 – March 2024)
A closer look shows that the gang’s efforts were significantly focused on American organizations, but it also targeted Brazilian institutions as well as those from the United Kingdom, France, Canada, and Australia. Interestingly, 8Base ransomware also targeted smaller countries such as Costa Rica, Croatia, and the Bahamas.
Figure 5. The top five countries targeted by 8Base ransomware
Source: 8Base ransomware’s leak site data and Trend Micro’s OSINT research (May 2023 – March 2024)
Threat actors behind 8Base ransomware targeted a wide range of sectors including real estate businesses, legal services companies, and hospitality-related establishments. However, they focused their efforts the most on businesses in the manufacturing and finance sectors.
Figure 6. The top 5 sectors targeted by 8Base ransomware
Source: 8Base ransomware’s leak site data and Trend Micro’s OSINT research (May 2023 – March 2024)
The 8Base ransomware targeted small business the most, despite or perhaps because the gang positioned themselves as pen testers; penetration testing usually aims to identify weak spots in a system’s defenses that can be taken advantage of by attackers. It could be assumed that instead of big corporations, the gang targeted small business to teach them a “lesson” while also gaining profit.
Figure 7. The distribution by organization size of the 8Base ransomware victims
Source: 8Base ransomware’s leak site data and Trend Micro’s OSINT research (May 2023 – March 2024)
Initial Access | Persistence | Privilege Escalation | Defense Evasion | Discovery | Impact |
---|---|---|---|---|---|
T1566 - Phishing: | T1547.001 - Registry Run Keys / Startup Folder: | T1134.001 - Token Impersonation/Theft T1134.002 - Create Process with Token T1548.002 - Bypass User Account Control T1546.008 - Accessibility Features | T1027.001 - Binary Padding T1497.001 - System Checks T1562.004 - Disable or Modify System Firewall T1140 - Deobfuscate / Decode Files or Information T1070.001 - Clear Windows Event Logs | T1083 - File and Directory Discovery T1082 - System Information Discovery T1135 - Network Share Discovery T1057 - Process Discovery | T1486 - Data Encrypted for Impact T1490 - Inhibit System Recovery T1218.005 - System Binary Proxy Execution: Mshta |
Initial Access | Phishing | Technique |
Credential Access | Mimikatz | Hacktool |
LaZagne | Hacktool | |
WebBrowserPassView | Hacktool | |
VNCPassView | Hacktool | |
PasswordFox | Hacktool | |
ProcDump | Tool | |
Lateral Movement | PsExec | Tool |
SystemBC | Tool | |
Defense Evasion | KILLAV | Malware |
SmokeLoader | Malware | |
PCHunter | Tool | |
GMER | Tool | |
Process Hacker | Tool | |
Exflitration | RClone | Tool |
Impact | Phobos Ransomware | Malware |
While the threat actors behind the 8Base ransomware position themselves as penetration testers, their attacks on organizations cannot be seen as a “public service,” since the group extorts and profits off its victims. Organizations should conduct their own penetration tests and find out weaknesses in their systems before cybercriminals can take advantage of them in the guise of teaching lessons in security. As evidenced in the profile of 8Base ransomware’s victims, no business is too small for a robust and comprehensive security system.
To shield themselves against 8Base ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy.
The following are some best practices that organizations can consider to safeguard themselves from ransomware infections:
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
The IOCs for the threat discussed in this article can be found here. Actual indicators might vary per attack.
Trend Vision One customers can use the following hunting query to search for 8Base ransomware within their system:
fullPath:"*.8base" OR fullPath:"*.eight" OR fullPath:"*\\info.hta" OR fullPath:"*\\info.txt" OR (processFilePath:"*\\mshta.exe" AND objectFilePath:"*\\info.hta")
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.