8Base Ransomware Spikes in Activity, Threatens U.S. and Brazilian Businesses

Cyber Security Threat Summary:
“A ransomware threat called **8Base** that has been operating under the radar for over a year has been attributed to a ‘massive spike in activity’ in May and June 2023. ‘The group utilizes encryption paired with 'name-and-shame' techniques to compel their victims to pay their ransoms,’ VMware Carbon Black researchers Deborah Snyder and Fae Carlisle [said](https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player) in a report. ‘8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries.’ 8Base, according to statistics gathered by [Malwarebytes](https://www.malwarebytes.com/blog/threat-intelligence/2023/06/ransomware-review-june-2023) and [NCC Group](https://www.mynewsdesk.com/nccgroup/news/ncc-group-monthly-threat-pulse-may-2023-468794), has been linked to 67 attacks as of May 2023, with about 50% of the victims [operating](https://hackmanac.com/news/8base-the-newly-discovered-ransomware-gang) in the business services, manufacturing, and construction sectors. A majority of the targeted companies are located in the U.S. and Brazil. With very little known about the operators of the ransomware, its origins remain something of a cipher. What's evident is that it has been active since at least March 2022 and the actors describe themselves as ‘simple pentesters’” (The Hacker News, 2023).

Security Officer Comments:
Like any other ransomware group, 8Base engages in double extortion schemes where it will exfiltrate data prior to encryption, and threaten to publish the data on the gang’s data leak site if no ransom is paid by the victim. To date, 8Base has listed 35 victims on its site, which refused to comply with the group’s ransom demands. Taking a look at 8Base’s data leak site, researchers noticed similarities in language and content used to that of RansomHouse’s data leak, another notorious ransomware gang, where even the FAQ pages appear to have been copy-pasted. Furthermore, 8Base appends encrypted files with the .8base extension which resembles the extension (.eight) used by another group called, Phobos, a Windows-targeting Ransomware-as-a-service that has been active since 2019. Despite the similarities, there is not enough evidence to suggest that 8Base is a rebranding of either RansomHouse or Phobos. It appears that 8Base has drawn inspiration from these groups and is implementing similar templates and extensions.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://thehackernews.com/2023/06/8base-ransomware-spikes-in-activity.html