8Base attacks ARPEGE
Date:
January 23, 2024
Overview
Title
8Base attacks ARPEGE
Victim
ARPEGE
Attacker
8Base
Location
Size of Attack
Unknown/TBD
First Reported
January 23, 2024
Last Updated
October 31, 2022
8Base ransomware group claimed an attack on ARPEGE. The group obtained several pieces of corporate data, including invoices, receipts, accounting documents, personal data, certificates, employment contracts, confidentiality agreements, personal files, and other documents. ARPEGE (Audit, Revision, Patrimony, Evaluation, Management) is a chartered accountancy and auditing firm based in Rueil-Malmaison. The 8Base ransomware gang first emerged in March of 2022 and has quickly become one of the most active groups today, having displayed a "massive spike in activity" in the second half of 2023, making them one of the most significant threats in the wild. The sophistication of the operation suggests they are an offshoot of experienced RaaS operators - most likely Ransomhouse, a data extortion group that first emerged in December of 2021 and was quite active in late 2022 and early 2023. Other researchers see a connection to the leaked Babuk builder. Like most groups today, 8Base engages in data exfiltration for double extortion and employs advanced security evasion techniques Including modifying Windows Defender Firewall for bypass. 8Base does not appear to have its own signature ransomware strain or maintain an RaaS for recruiting affiliate participation openly, but it is assessed they may service a group of vetted affiliate attackers privately. Like RansomHouse, they appear to use a variety of ransomware payloads and loaders in their attacks, most prevalently customized Phobos with SmokeLoader. Attacks also included wiping of Volume Shadow Copies (VSS) to prevent rollback of the encryption. 8Base does not appear to be targeting Linux systems, maintaining a focus on Windows targets. In Q4-2023, 8Base continued using a new variant of the Phobos ransomware payload, typically delivered with SmokeLoader. 8Base does not appear to maintain a RaaS program open to affiliate attackers, appearing to be opportunistic in their choice of victims with a focus on “name and shame” via their leaks site to compel payment of the ransom demand.
This attack's description was not found, while we work on the detailed account of this attack we invite you to browse through other recent Rasomware Attacks in the table below.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.