Who are 8BASE?

Jul 4, 2023

This post is also available in: עברית (Hebrew)

There is a new ransomware group that has been grabbing the attention of the world of cybersecurity. Following is a brief overview of the new kid on the block- 8BASE.

8BASE first appeared on the ransomware scene in March 2022 but had a significant spike in activity in June of 2023. There currently isn’t enough information to determine the size of the group, where their home base of operations is located, or if they are backed by any nation-state entities or governments.

Like many other dark leak sites, the group has a page dedicated to victims and downloads, a set of rules for negotiating, and a statement that they only accept a ransom payment in Bitcoin. They also claim that they’re “honest and simple pentesters” looking to make a buck for the greater good. “This list contains only those companies that have neglected the privacy and importance of the data of their employees and customers,” the website says.

In a very unusual move, 8BASE offers to remove the personal data of individuals who may be involved or working for the victim organization, upon request. The group’s Frequently Asked Questions page states: “In case the team decides to publish the data containing personal information, individuals can contact us via our Official Telegram Channel or dedicated Telegram Channels referenced at company’s details profile with a removal request, in addition we will try to do this ourselves before making the data public.”

8BASE’s Telegram channel has dozens of posts filled with downloadable files containing what appear to be identifiable company records, employee IDs, driver’s licenses, and passports from various companies located across the world, including South America, Panama, Australia, and the US.

According to VMware research, the group’s top ten targeted industries include business services at number one, real estate and construction in the middle, and food-related industries coming in last.

A post made by the group reads: “We have a large number of files. For demonstration, some of them are presented here. The entire amount of data has already been uploaded to the site, enjoy!”.

8BASE’s usual ransomware attack method is “double extortion”, in which the group breaches their target and steals what sensitive information they can access, then encrypts the company’s data files and/or network servers. They then demand a ransom not only for a decryption key but for them to delete the data stolen in the attack.

This method most likely evolved as organizations began to proactively create and store back-ups of their network systems, making a decryption key unnecessary for most companies to restore their data. The hackers, who can easily make copies of the stolen data for future use, may decide to publish or sell the data anyway, despite a ransom being paid.

This article is based on information provided by Cybernews and research by VMware.