The 8Base ransomware gang has displayed a "massive spike in activity" according to reports, with 67 attacks as of May 2023, with about half of targets in the business services, manufacturing, and construction sectors.
Having first emerged around March of 2022, 8Base bears a "strikingly similar” profile to that of the RansomHouse operators, with overlap in the ransom note language and on its data leak portal.
"The verbiage is copied word for word from RansomHouse's welcome page to 8Base's welcome page. This is the case for their Terms of Service pages and FAQ pages," the Hacker News reports.
Researchers noted that a Phobos ransomware sample uses an .8base file extension for encrypted files, raising the prospect that 8Base could be a successor of the Phobos gang, or that “the attackers are simply making use of already existing ransomware strains without having to develop their own custom locker.”
"The speed and efficiency of 8Base's current operations does not indicate the start of a new group but rather signifies the continuation of a well-established mature organization," the researchers said. "Whether 8Base is an offshoot of Phobos or RansomHouse remains to be seen."
Takeaway: With a precipitous decline in attacks over 2022, some researchers supposed that ransomware 2023 attack volumes would also show a decline, but the fact is thar ransomware is still the number one threat to organizations, with dozens of new groups emerging.
The lull in attacks in 2022 does not reflect a move by threat actors away from ransomware, but instead is evidence that these malicious actors can be diverted from their criminal activities to support state-sponsored operations as directed by the Russian regime.
“Groups like 8Base demonstrate that we have not even begun to see an abatement of the ransomware problem, and it is only a matter of time before we see some really big, disruptive attacks against our critical infrastructure providers. With a precipitous decline in attacks over 2022, some researchers supposed that ransomware 2023 attack volumes would also show a decline. However, the fact is that ransomware is still the number one threat to organizations, with dozens of new groups emerging," Jon Miller, CEO and Co-founder at Halcyon told CyberWire.
“March 2023 will go down in the books as the most prolific period so far for the volume of ransomware attacks observed, with research indicating there were 459 successful attacks, up 91% from February volume and up 62% year-over-year. It is more than apparent that the majority of ransomware gangs are either loosely affiliated or wholly controlled by the Russian government, with ample overlap between threat actors, tooling, and attack infrastructure," Miller continued.
“The observed overlap between threat groups, their code base, TTPs and other indicators of compromise makes the task of tracking these groups even more difficult. We typically had RaaS providers who used the same moniker as their ransomware variant. We will never be able to stop ransomware attacks, but we can stop them from being successful by arresting the attack at ingress or lateral movement; by preventing data exfiltration; by blocking execution of the ransomware payload; by rapidly recovering systems and minimizing downtime.”
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.