{
	"id": "79bf6fdb-4754-42b8-ba08-c8c31de923a0",
	"created_at": "2026-04-06T00:12:14.256382Z",
	"updated_at": "2026-04-10T13:11:40.480278Z",
	"deleted_at": null,
	"sha1_hash": "771cde17b626f7266ebc1fa25ae94b4d864af181",
	"title": "8Base Ransomware: A Heavy Hitting Player",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3636643,
	"plain_text": "8Base Ransomware: A Heavy Hitting Player\r\nBy Deborah Snyder, Fae Carlisle, Dana Behling, Bria Beathley\r\nPublished: 2023-06-28 · Archived: 2026-04-05 19:26:28 UTC\r\nThe 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of\r\n2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their\r\nransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries.\r\nDespite the high amount of compromises, the information regarding identities, methodology, and underlying motivation\r\nbehind these incidents still remains a mystery.\r\nThe speed and efficiency of 8Base’s current operations do not indicate the start of a new group but rather signify the\r\ncontinuation of a well-established mature organization. Based on the currently available information, certain aspects of\r\n8Base’s current operations look eerily similar to the ransomware operations we have seen in the past.\r\n8Base Ransomware: What We Know\r\nFigure 1: Screenshot of 8Base Ransom Group Leak Site\r\n8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of\r\n2023.  Describing themselves as “simple pen testers”, their leak site provided victim details through Frequently Asked\r\nQuestions and Rules sections as well as multiple ways to contact them. What is interesting about 8Base’s\r\ncommunication style is the use of verbiage strikingly familiar to another known group, RansomHouse.\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 1 of 16\n\nFigure 2: Chart of 8Base Ransom Group Activity from March 2022 – June 2023.\r\nContact information provided on the leak site included the following:\r\nTelegram Channel: https://t[.]me/eightbase\r\nTwitter: @8BaseHome\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 2 of 16\n\nFigure 3: Screenshot of 8Base Ransom Group Twitter.\r\n8Base Ransom Group’s top targeted industries include but are not limited to Business Services, Finance,\r\nManufacturing, and Information Technology.\r\nFigure 4: Chart of 8Base Ransom Group’s Top Targeted Industries\r\nAlthough the 8Base Ransom Group is not necessarily a new group, their spike in activity recently has not gone\r\nunnoticed. Even within the past 30 days, it is within the top 2 performing ransom groups. Not much was known\r\npublicly about the kind of ransomware used by 8Base other than the ransom note and that it appends encrypted files\r\nwith the extension “.8base”.\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 3 of 16\n\nFigure 5: Chart comparing 8Base Ransom Group victimization statistics with other known Ransom Groups.\r\nAnalysis conducted by VMware Carbon Black’s TAU and MDR-POC teams revealed interesting finds and begs the\r\nquestion: “Whose ransom is it anyway?”\r\nThe Mystery of “Whose ransom is it anyway?”\r\n8Base and RansomHouse\r\nWhile reviewing 8Base, we noticed there were significant similarities between this group and another group –\r\nRansomHouse. It is up for debate on whether RansomHouse is a real ransomware group or not; the group buys already\r\nleaked data, partners with data leak sites, and then extorts companies for money.\r\nThe first similarity was identified during a ransom note comparison project utilizing Natural Language Processing\r\nmodel Doc2Vec. Doc2Vec is an unsupervised machine learning algorithm that converts documents to vectors and can\r\nbe used to identify similarities in documents. During this project, the ransom note of 8base had a 99% match with\r\nRansomHouse ransom note. For comparison, we have provided a snippet of the ransom notes below:\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 4 of 16\n\nFigure 6: 8Base (blue) compared to RansomHouse (red) ransom notes\r\nDiving deeper, we did a side-by-side comparison of their respective leak sites. Again, we found the language of the two\r\nbeing nearly identical.\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 5 of 16\n\nFigure 7: 8Base (blue) compared to RansomHouse (red) welcome pages\r\nThe verbiage is copied word for word from RansomHouse’s welcome page to 8Base’s welcome page. This is the case\r\nfor their Terms of Service pages and FAQ pages as seen below:\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 6 of 16\n\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 7 of 16\n\nFigure 8: 8Base (blue) compared to RansomHouse (red) terms of service pages\r\nFigure 9: 8Base (blue) compared to RansomHouse (red) FAQ pages\r\nWhen comparing the two threat actor groups, there are only two major differences: The first is that RansomHouse\r\nadvertises its partnerships and is openly recruiting for partnerships, whereas 8Base is not:\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 8 of 16\n\nFigure 10: RansomHouse partnership page\r\nThe second major difference between the two threat actor groups is their leak pages, as seen below:\r\nFigure 11: RansomHouse (red) and 8Base (blue) leak pages\r\nGiven the similarity between the two, we were presented with the question of whether 8Base may be an off-shoot of\r\nRansomHouse or a copycat. Unfortunately, RansomHouse is known for using a wide variety of ransomware that is\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 9 of 16\n\navailable on dark markets and doesn’t have its own signature ransomware as a basis for comparison. Interestingly, while\r\nresearching 8Base we weren’t able to find a single ransomware variant either. We stumbled across two very different\r\nransom notes – one that matched RansomHouse’s and one that matched Phobos. It begged the question if 8Base, similar\r\nto RansomHouse, operates by using different ransomware as well, and if so, is 8Base just an offshoot of RansomHouse?\r\n8Base and Phobos Ransomware\r\nWhen searching for a sample of ransomware used by 8Base Ransom Group, a Phobos sample using a “.8base” file\r\nextension on encrypted files was recovered. Could this be an earlier iteration of the ransomware they would use, or is\r\n8Base using varieties of ransomware to target their victims? Comparison of Phobos and the 8Base sample revealed that\r\n8Base was using Phobos ransomware version 2.9.1 with SmokeLoader for initial obfuscation on ingress, unpacking,\r\nand loading of the ransomware. With Phobos ransomware being available as a ransomware-as-a-service (RAAS), this is\r\nnot a surprise. Actors are able to customize parts to their needs as seen in the 8Base ransom note. Although their ransom\r\nnotes were similar, key differences included Jabber instructions and “phobos” in the top and bottom corners of the\r\nPhobos ransomware while 8Base has “cartilage” in the top corner, a purple background, and no Jabber instructions as\r\nseen below:\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 10 of 16\n\nFigure 12: 8Base (blue) compared to Phobos (red) ransom notes\r\nEven though 8Base added their own branding customization by appending “.8base” to their encrypted files, the format\r\nof the entire appended portion was the same as Phobos which included an ID section, an email address, and then the file\r\nextension.\r\nFigure 13: 8Base (blue) compared to Phobos (red) file extensions\r\nAdditional analysis that appeared unique to 8Base Ransom Group included that the 8Base sample had been downloaded\r\nfrom the domain admlogs25[.]xyz – which appears to be associated with SystemBC, a proxy and remote administration\r\ntool.  SystemBC has been used by other ransomware groups as a way to encrypt and conceal the destination of the\r\nattackers’ Command and Control traffic.\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 11 of 16\n\nVMware Carbon Black Detection\r\nVMware Carbon Black Managed Detection and Response is effective at detecting ransomware and ransomware-like\r\nbehavior as an endpoint detection and response product. We have provided an Indicators of Compromise section below\r\nwhich can be used to create rules to detect and prevent the execution of 8Base ransomware.\r\nVMware Carbon Black has an active rule set that is used for the detection of all ransomware-type malware. This ruleset\r\nis sufficient to detect and prevent malware and provides for the active protection of our customers. For active\r\ncustomers, we recommend ensuring this ruleset is enabled.\r\nOf course, it is important to attempt to stop ransomware from running in the first place. As stated in the report, 8base\r\nuses SystemBC to encrypt command and control traffic and Smokeloader, which provided initial obfuscation of the\r\nransomware on ingress, unpacking, and loading of the Phobos ransomware. Recommendations to prevent this activity\r\nwould include:\r\nBeware of Phishing emails: Many threats to include Smokeloader are delivered via phishing emails. Ensuring\r\npersonnel are educated on Phishing email techniques is crucial in prevention efforts.\r\nEnsure proper configuration of network monitoring tools i.e. SIEM solution to prevent any malware from\r\nconnecting to command and control servers. Domains are provided in the IOC section.\r\nThe Indicators of Compromise provided below can be invaluable for threat-hunting purposes. These indicators serve as\r\nessential tools to identify potential security breaches and malicious activities. By utilizing these indicators, security\r\nprofessionals can proactively investigate and mitigate threats, ensuring the integrity and safety of their systems.  With a\r\nvigilant approach to threat hunting and the utilization of these indicators, organizations can stay ahead of potential risks\r\nand maintain a robust security posture.\r\nSummary\r\nGiven the nature of the beast that is 8Base, we can only speculate at this time that they are using several different types\r\nof ransomware – either as earlier variants or as part of their normal operating procedures. What we do know is that this\r\ngroup is highly active and targets smaller businesses.\r\nWhether 8Base is an offshoot of Phobos or RansomHouse remains to be seen. It is interesting that 8Base is nearly\r\nidentical to RansomHouse and uses Phobos Ransomware. At present, 8Base remains one of the top active ransomware\r\ngroups this summer (2023).\r\nAs with all ransomware, VMware Carbon Black highly recommends its endpoint detection product given its high\r\nperformance and ability to catch ransomware before it magnifies.\r\nMITRE ATT\u0026CK TIDs:\r\nTactic Technique Description\r\nTA0003\r\nPersistence\r\nT1547.001 Registry Run\r\nKeys / Startup Folder\r\nAdds the following:\r\n%AppData%\\Local\\\r\n{malware} %ProgramData%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 12 of 16\n\n{malware} %AppData%\\Roaming\\Microsoft\\Start\r\nMenu\\Programs\\Startup\\{malware}\r\nTA0007\r\nDiscovery\r\nT1135 Network Share\r\nDiscovery\r\nUses WNetEnumResource() to crawl network resources\r\nTA0004\r\nPrivilege\r\nEscalation\r\nT1134.001 Token\r\nImpersonation/Theft\r\nUses DuplicateToken() to adjusts token privileges\r\nTA0005\r\nDefense\r\nEvasion\r\nT1562.001 Disable or\r\nModify Tools\r\nTerminates a long list of processes, which are a mix of commonly\r\nused applications (example: MS Office applications) and security\r\nsoftware.\r\nTA0005\r\nDefense\r\nEvasion\r\nT1027.002 Obfuscated\r\nFile or Information:\r\nSoftware Packing\r\nSmokeLoader unpacks and loads Phobos to memory\r\nTA0040\r\nImpact\r\nT1490 Inhibit System\r\nRecovery\r\nRuns:\r\nwmic shadowcopy delete\r\nwbadmin delete catalog -quiet\r\nvssadmin delete shadows /all /quiet\r\nbcdedit /set {default} recoveryenabled no\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nTA0040\r\nImpact\r\nT1486 Data Encrypted\r\nfor Impact\r\nUses AES to Encrypt Files\r\nIndicators of Compromise:\r\nIndicator Type Context\r\n518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c\r\nSHA-256\r\n8Base\r\nRansomware\r\n(Phobos\r\nvariant)\r\n5BA74A5693F4810A8EB9B9EEB1D69D943CF5BBC46F319A32802C23C7654194B0\r\nSHA-256\r\n8Base ransom\r\nnote\r\n(RansomHouse\r\nvariant)\r\n20110FF550A2290C5992A5BB6BB44056 MD5\r\n8Base ransom\r\nnote\r\n(RansomHouse\r\nvariant)\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 13 of 16\n\n3D2B088A397E9C7E9AD130E178F885FEEBD9688B SHA-1\r\n8Base ransom\r\nnote\r\n(RansomHouse\r\nvariant)\r\ne142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0\r\nSHA-256\r\n8Base\r\nransomware\r\n(Phobos\r\nvariant)\r\n5d0f447f4ccc89d7d79c0565372195240cdfa25f SHA-1\r\n8Base\r\nransomware\r\n(Phobos\r\nvariant)\r\n9769c181ecef69544bbb2f974b8c0e10 MD5\r\n8Base\r\nransomware\r\n(Phobos\r\nvariant)\r\nC6BD5B8E14551EB899BBE4DECB6942581D28B2A42B159146BBC28316E6E14A64\r\nSHA-256\r\n8Base\r\nransomware\r\n(Phobos\r\nvariant)\r\n518544E56E8CCEE401FFA1B0A01A10CE23E49EC21EC441C6C7C3951B01C1B19C\r\nSHA-256\r\n8Base\r\nransomware\r\n(Phobos\r\nvariant)\r\nAFDDEC37CDC1D196A1136E2252E925C0DCFE587963069D78775E0F174AE9CFE3\r\nSHA-256\r\n8Base\r\nransomware\r\n(Phobos\r\nvariant)\r\nwlaexfpxrs[.]org\r\nData\r\nPOST\r\nto\r\nURL\r\n8Base\r\nransomware\r\nreferred\r\ndomain\r\n(Phobos\r\nvariant)\r\nadmhexlogs25[.]xyz\r\nData\r\nGET\r\nrequest\r\nto\r\nURL\r\n8Base\r\nransomware\r\nreferred\r\ndomain\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 14 of 16\n\nadmlogs25[.]xyz\r\nData\r\nGET\r\nrequest\r\nto\r\nURL\r\n8Base\r\nransomware\r\nreferred\r\ndomain\r\nadmlog2[.]xyz\r\nData\r\nGET\r\nrequest\r\nto\r\nURL\r\n8Base\r\nransomware\r\nreferred\r\ndomain\r\ndnm777[.]xyz\r\nData\r\nGET\r\nrequest\r\nto\r\nURL\r\n8Base\r\nransomware\r\nreferred\r\ndomain\r\nserverlogs37[.]xyz\r\nData\r\nPOST\r\nto\r\nURL\r\n8Base\r\nransomware\r\nreferred\r\ndomain\r\n9f1a.exe\r\nFile\r\nName\r\n8Base\r\nransomware\r\ndropped file\r\nd6ff.exe\r\nFile\r\nName\r\n8Base\r\nransomware\r\ndropped file\r\n3c1e.exe\r\nFile\r\nName\r\n8Base\r\nransomware\r\ndropped file\r\ndexblog[.]xyz\r\nData\r\nGET\r\nrequest\r\nto\r\nURL\r\n8Base\r\nransomware\r\nreferred\r\ndomain\r\nblogstat355[.]xyz\r\nData\r\nGET\r\nrequest\r\nto\r\nURL\r\n8Base\r\nransomware\r\nreferred\r\ndomain\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 15 of 16\n\nblogstatserv25[.]xyz\r\nData\r\nGET\r\nrequest\r\nto\r\nURL\r\n8Base\r\nransomware\r\nreferred\r\ndomain\r\nSource: https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nhttps://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html"
	],
	"report_names": [
		"8base-ransomware-a-heavy-hitting-player.html"
	],
	"threat_actors": [
		{
			"id": "921cea27-4410-42e4-8c11-7d40ba313225",
			"created_at": "2023-01-06T13:46:39.375789Z",
			"updated_at": "2026-04-10T02:00:03.307063Z",
			"deleted_at": null,
			"main_name": "RansomHouse",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHouse",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434334,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/771cde17b626f7266ebc1fa25ae94b4d864af181.pdf",
		"text": "https://archive.orkl.eu/771cde17b626f7266ebc1fa25ae94b4d864af181.txt",
		"img": "https://archive.orkl.eu/771cde17b626f7266ebc1fa25ae94b4d864af181.jpg"
	}
}