8Base Ransomware: The Rapidly Emerging Threat

Estimated read time 3 min read

New findings from VMware reveal that the 8BASE ransomware group, originally detected in March 2022, has been increasingly active over the last month. This hacker collective is employing known cybercrime methods but is now operating at an alarming pace, affecting multiple industries.

Who is 8Base?

Interestingly, 8Base defines itself as a group of “simple pen-testers” or “penetration testers“. While this could essentially be a legitimate service, it’s clear in this case, it’s anything but. Like other cybercriminals, 8Base maintains a “leak site,” where victims’ data is made available if they refuse to pay the ransom.

8BASE Ransomware DLS site
8BASE Ransomware DLS site

Despite their rising activity, security experts are yet to decipher the exact methodology, motivation, and identity of these perpetrators. What’s evident is that this group operates swiftly and efficiently.

The VMware Findings

VMware’s analysis shows that 8Base’s communication style mirrors that of RansomHouse, another criminal organization that gained notoriety earlier this year when it executed a massive hack on AMD, seizing 450GB of financial data and research material. However, whether we can classify this collective as a genuine ransomware gang remains uncertain as VMware notes the group seems to purchase stolen data and then extorts businesses based on that information.

8base Ransomware Group Activity as tracked by VMware | Picture by VMware
8base Ransomware Group Activity as tracked by VMware | Picture by VMware

The statistics surrounding 8BASE’s activity are staggering: in June, the ransomware gang went from having the fewest detections in over a year to the most.

Wide Range of Targets

8Base’s targets range from business service providers to financial services, manufacturing, IT, and healthcare. Consequently, VMware characterizes the group’s victim selection as “opportunistic.”

Contrary to more brutal organizations like RagnarLocker, 8BASE strives to maintain a semblance of legitimacy. Using the pretext of the aforementioned “pen tester” guise, they claim to provide a service to the affected companies. Moreover, they offer a comprehensive FAQ, Terms of Service, and provide assurances about actions taken post-payment.

Terms and Service of the 8BASE ransomware group
Terms and Service of the 8BASE ransomware group

Ambiguous Origin

The detection of 8BASE does not indicate any specific ransomware software as the basis for their methods. Additionally, VMware discovered variations in the ‘ransom note,’ with some resembling those of RansomHouse and others akin to another criminal group: Phobos.

Speculation Abounds

Despite the valuable insights gained, VMware concludes that the remaining information remains speculative. Due to the various ransomware variants used by the group and the widespread targets, it’s challenging to form a clear profile of the group.

8BASE Twitter and Telegram account

The 8BASE Ransomware Group operates the Twitter profile dubbed @8BASEHOME;


on Telegram they operate the channel eightbase;


Done reading? Join Cyberwarzone on Telegram.

Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author