{
	"id": "f7a2040f-2175-4a80-8f39-e18743f2510b",
	"created_at": "2026-04-06T00:13:28.750058Z",
	"updated_at": "2026-04-10T03:25:24.178424Z",
	"deleted_at": null,
	"sha1_hash": "ad6404e3931a3fd55adfc457f183496af70e1105",
	"title": "Dark Web Profile: 8Base Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75434,
	"plain_text": "Dark Web Profile: 8Base Ransomware\r\nPublished: 2023-07-27 · Archived: 2026-04-05 13:05:29 UTC\r\nIn today’s cyber world, while the ransomware scene remains dynamic and active, new actors are emerging with\r\nsignificant numbers of victims. In this article, we will focus on 8Base Ransomware, which ranked in the top 5\r\nmost active groups last month according to Daily Dark Web, with 37 victim announcements in June.\r\nFigure 1. The 10 most active ransomware groups of June 2023 (Source: Daily Dark Web)\r\nWho is 8Base?\r\n8Base is a ransomware group that has been active since April 2022. Despite its relatively recent emergence, the\r\ngroup has rapidly gained notoriety due to its aggressive tactics and the significant number of victims it has\r\nclaimed. The group primarily targets small and medium-sized businesses (SMBs) across various sectors, including\r\nbusiness services, finance, manufacturing, and information technology.\r\nFigure 2. First attack claim shared by 8Base\r\nThe group’s identity, methods, and motivations largely remain a mystery. However, based on its leak site and\r\npublic accounts, along with the group’s communications, researchers think the group’s verbal style is quite similar\r\nto that of RansomHouse, a group that typically purchases already compromised data or works with data leak\r\nsites to extort victims. This has led to speculation that 8Base may be an offshoot of RansomHouse.\r\nAnother point of view is that 8Base was built directly with the leaked Babuk builder:\r\nFigure 3. (Source: BushidoToken)\r\nPutting everything else aside, the group’s rapid rise in activity and the significant number of victims they have\r\nclaimed have made them a major player in the ransomware landscape. They have been particularly active in\r\nrecent months, with a significant spike in their activities observed. This has led to them being ranked as one of the\r\ntop performing ransom groups, further highlighting the threat they pose.\r\nHow Does 8Base Ransomware Attack?\r\n8Base is known for its double-extortion tactics. The group threatens to publish the encrypted files unless the\r\nransom is paid, aiming to embarrass the victim by exposing private or confidential information that could damage\r\ntheir brand or reputation. The use of the “double-extortion” tactic has become increasingly common among\r\nransomware groups, as it adds an additional layer of pressure on the victims to pay the ransom.\r\nThe 8Base ransomware is thought to spread via:\r\nPhishing emails,\r\nExploit kits.\r\nhttps://socradar.io/dark-web-profile-8base-ransomware/\r\nPage 1 of 7\n\nIf you are suspicious that an email you have is phishing, you can use SOCRadar’s Phishing Radar tool, available\r\nfor free under LABS:\r\nFigure 4. SOCRadar’s SOC Tools, available for free under SOCRadar LABS\r\nWhich tools and vulnerabilities does 8Base Ransomware use?\r\n8Base uses a variety of ransomware strains, including a variant known as Phobos. The group has customized\r\nPhobos by appending ‘.8base’ to their encrypted files, but the format of the entire appended portion remains the\r\nsame as Phobos, which includes an ID section, an email address, and then the file extension. This suggests that\r\n8Base is leveraging Ransomware-as-a-Service (RaaS) offerings, a common practice among ransomware groups.\r\nQuick Look at 8Base Ransomware’s TOR Site\r\nWhen we enter the group’s Tor website, we are greeted by a homepage with victim announcements section by\r\nsection and with descriptions underneath.\r\nFigure 5. The main page of 8Base Ransomware’s Tor site\r\nWhen we go to the Contact section, a standard contact form welcomes us, just like an organization’s website.\r\nFigure 6. Contact Page of 8Base Ransomware’s Tor Site\r\nWhen we go to the Frequently Asked Questions (FAQ) section, we are greeted with a somewhat long article, first\r\nof all we learn about the group’s Telegram and Twitter accounts.\r\nFigure 7. Head of 8Base Ransomware TOR site FAQ Page\r\nFrom the FAQ text, several aspects can be inferred about the 8Base:\r\nBusiness-like Approach: This group operates in a structured, professional manner, with clear policies and\r\nprocedures. They have dedicated channels for communication and even offer customer support, implying they\r\nhave a well-organized infrastructure.\r\nCooperation: The group is open to collaboration with others who share their ethos. They suggest willingness to\r\nnegotiate ransom deals on behalf of others. However, they clearly state their rejection of any association with\r\nultra-radical groups, indicating an attempt to maintain an image of ethicality.\r\nEthical Line: The group claims to have ethical boundaries, refusing to engage with extremist groups or release\r\ndata that violate moral principles. They attempt to legitimize their activities by drawing a line between what they\r\nperceive as ethical hacking and malicious activities.\r\nRespect for Journalism: They seem to value journalism and have special provisions for journalists, indicating\r\ntheir belief in information accessibility. This could also be a strategy to gain media attention and publicity.\r\nVictim Support: Surprisingly, they claim to offer help to victims of the companies they attack, suggesting that\r\nthey remove personal data before making it public. They also offer data sets to individuals for potential lawsuits.\r\nhttps://socradar.io/dark-web-profile-8base-ransomware/\r\nPage 2 of 7\n\nThis could be a strategy to frame their actions as ‘just’ or ‘helpful’ to the public.\r\nData Disclosure Process: The group follows a process where they first list a company as “Evidence” and later\r\nchange the status to “Disclosed”. They provide the company an opportunity to prevent data disclosure,\r\nindicating a form of negotiation or potential ransom demand. This suggests they primarily aim at financial gain.\r\nFigure 8. The remaining part of 8Base Ransomware TOR site’s FAQ Page\r\nIn addition to the FAQ page, there is a sub-page called “Rules.” This page can be thought of as a list of\r\ninformation for victims on how to proceed.\r\nFigure 9. Terms of Service page of 8Base Ransomware TOR site\r\nAnd lastly, we can see the About Us section at the bottom of each page:\r\nFigure 10. “About US” section of 8Base Ransomware\r\nSOCRadar continuously monitors the dark web and posts news about ransomware groups under the\r\n“Ransomware News” heading on the Dark Web News page of the CTI module:\r\nFigure 11. SOCRadar’s Ransomware News heading under the Dark Web Page of CTI Module\r\n(Source: SOCRadar)\r\nThe group’s leak site describes them as “honest and simple pentesters.” The site offers instructions to victims\r\nwith sections for Frequently Asked Questions and Rules, along with multiple ways to contact the group. 8Base\r\nalso maintains an official channel on the messaging service Telegram and an account on Twitter, further\r\ndemonstrating their sophisticated communication and public relations strategies.\r\nFigure 12. Twitter Page of 8Base Ransomware\r\nThey also share files and new claims on their Telegram pages, which for some reason contradict the “ethical”\r\ninformation they provide.\r\nFigure 13. A Screenshot of 8Base Ransomware’s Telegram Channel\r\nWhat are the Targets of 8Base Ransomware?\r\n8Base primarily targets small and medium-sized businesses (SMBs) across various sectors. The group seems to\r\nhave a preference for certain industries, with businesses in the business services, finance, manufacturing, and\r\ninformation technology sectors being particularly targeted. This could be due to the perceived ability of businesses\r\nin these sectors to pay larger ransoms, or it could be due to the nature of their data, which may be more\r\nsensitive or valuable.\r\nThe group’s activities have spiked recently, with the group claiming the second-largest number of victims over\r\nthe past 30 days, second only to the LockBit 3.0 gang. In May 2023 alone, the group released data from 67\r\nvictims they breached between April 2022 and May 2023. This rapid rise in activity and the significant number of\r\nvictims they have claimed have made them a major player in the ransomware landscape.\r\nhttps://socradar.io/dark-web-profile-8base-ransomware/\r\nPage 3 of 7\n\nTarget Sectors\r\nWhen looking at the companies attacked by the group, most of them are companies that operate under the\r\nProfessional Services industry such as Accounting, Law and Legal Services, Business Services etc. Apart from\r\nProfessional Services, companies operating in the fields of Manufacturing, Construction, Finance and\r\nInsurance, and Healthcare industries also seem to be affected to a great extent.\r\nFigure 14. Distribution of industries in which companies affected by 8Base Ransomware (Source:\r\nSOCRadar)\r\nTarget Countries\r\nFigure 15. Countries Affected by 8Base Ransomware (Source: SOCRadar)\r\nAccording to the group’s attacks, they mostly targeted companies based in the United States, Brazil and the\r\nUnited Kingdom.\r\nFigure 16. Affected country distribution from 8Base Ransomware (Source: SOCRadar)\r\nThe attack frequency of 8Base Ransomware\r\nAs of the time of the research, 8Base, which has nearly 120 claims in total, has been sharing claims in the past,\r\nbut as of June 4 in 2023, it can be observed that they have been sharing claims much higher than the average in\r\ntheir postings.\r\nFigure 17. 8Base Ransomware’s claim days and claim numbers in 2023\r\nAs of April 3, 2022, when the group made its first post, there are a number of claim posts that should not be\r\nunderestimated during 2022.\r\nFigure 18. 8Base Ransomware’s claim days and claim numbers in 2022\r\nConclusion\r\n8Base represents a new waveof ransomware groups that are highly active, aggressive, and sophisticated. Their\r\nrapid rise in activity and the significant number of victims they have claimed have made them a major player in\r\nthe ransomware landscape. Their use of double-extortion tactics, where they not only encrypt a victim’s data but\r\nalso threaten to publish it unless the ransom is paid, adds an additional layer of pressure on the victims and\r\nmakes their attacks even more damaging.\r\nThe group’s use of Ransomware-as-a-Service (RaaS) offerings and their sophisticated communication and\r\npublic relations strategies further highlight their capabilities. Their ability to adapt and evolve their tactics and\r\ntools, along with their aggressive approach, make them a significant threat that businesses need to be aware of.\r\nHowever, while the threat posed by 8Base is real and significant, it is not insurmountable. Businesses can protect\r\nthemselves by implementing robust cybersecurity measures, including keeping their systems and software\r\nhttps://socradar.io/dark-web-profile-8base-ransomware/\r\nPage 4 of 7\n\nupdated, training their employees to recognize and avoid phishing attacks, and using advanced detection tools to\r\nidentify and respond to threats quickly.\r\nMITRE ATT\u0026CK TTPs of 8Base Ransomware\r\nTechnique ID\r\nReconnaissance\r\nActive Scanning T1595\r\nPhishing for Information T1598\r\nResource Development\r\nAcquire Infrastructure T1583\r\nDevelop Capabilities T1587\r\nInitial Access\r\nPhishing: Spearphishing Attachment T1566.001\r\nExecution\r\nScheduled Task/Job T1053\r\nCommand and Scripting Interpreter T1059\r\nShared Modules T1129\r\nPersistence\r\nScheduled Task/Job T1053\r\nBoot or Logon Autostart Execution T1547\r\nRegistry Run Keys / Startup Folder T1547.001\r\nPrivilege Escalation\r\nScheduled Task/Job T1053\r\nBoot or Logon Autostart Execution T1547\r\nRegistry Run Keys / Startup Folder T1547.001\r\nDefense Evasion\r\nMasquerading T1036\r\nFile Deletion T1070.004\r\nhttps://socradar.io/dark-web-profile-8base-ransomware/\r\nPage 5 of 7\n\nModify Registry T1112\r\nIndirect Command Execution T1202\r\nFile and Directory Permissions Modification T1222\r\nVirtualization/Sandbox Evasion T1497\r\nImpair Defenses T1562\r\nDisable or Modify Tools T1562.001\r\nDisable or Modify System Firewall T1562.004\r\nHide Artifacts T1564\r\nHidden Files and Directories T1564.001\r\nCredential Access\r\nOS Credential Dumping T1003\r\nInput Capture T1056\r\nDiscovery\r\nProcess Discovery T1057\r\nSystem Information Discovery T1082\r\nFile and Directory Discovery T1083\r\nVirtualization/Sandbox Evasion T1497\r\nSecurity Software Discovery T1518.001\r\nLateral Movement\r\nTaint Shared Content T1080\r\nCollection\r\nData from Local System T1005\r\nInput Capture T1056\r\nData Staged T1074\r\nArchive Collected Data T1560\r\nCommand and Control\r\nApplication Layer Protocol T1071\r\nhttps://socradar.io/dark-web-profile-8base-ransomware/\r\nPage 6 of 7\n\nWeb Protocols T1071.001\r\nExfiltration\r\nExfiltration Over C2 Channel T1041\r\nImpact\r\nData Destruction T1485\r\nInhibit System Recovery T1490\r\nIoCs of 8Base:\r\nIOC Type IOC\r\nURL hxxp[:]//dexblog45[.]xyz/statweb255/\r\nURL hxxp[:]//sentrex219[.]xyz/777/mtx5sfN.exe\r\nURL hxxp[:]//sentrex219[.]xyz/777/skx2auB.exe\r\nIP 45.131.66[.]120\r\nIP 45.89.125[.]136\r\nFileName 8A26.exe\r\nFileName 8B7F.exe\r\nHash 9769C181ECEF69544BBB2F974B8C0E10\r\nHash 5D0F447F4CCC89D7D79C0565372195240CDFA25F\r\nHash E142F4E8EB3FB4323FB377138F53DB66E3E6EC9E82930F4B23DD91A5F7BD45D0\r\nFor more IOCs, you can visit the Threat Actor/Malware page under the CTI module of SOCRadar XTI Platform.\r\nSource: https://socradar.io/dark-web-profile-8base-ransomware/\r\nhttps://socradar.io/dark-web-profile-8base-ransomware/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://socradar.io/dark-web-profile-8base-ransomware/"
	],
	"report_names": [
		"dark-web-profile-8base-ransomware"
	],
	"threat_actors": [
		{
			"id": "921cea27-4410-42e4-8c11-7d40ba313225",
			"created_at": "2023-01-06T13:46:39.375789Z",
			"updated_at": "2026-04-10T02:00:03.307063Z",
			"deleted_at": null,
			"main_name": "RansomHouse",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHouse",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434408,
	"ts_updated_at": 1775791524,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ad6404e3931a3fd55adfc457f183496af70e1105.pdf",
		"text": "https://archive.orkl.eu/ad6404e3931a3fd55adfc457f183496af70e1105.txt",
		"img": "https://archive.orkl.eu/ad6404e3931a3fd55adfc457f183496af70e1105.jpg"
	}
}