article featured image


In May and June 2023, 8Base, a previously undetected ransomware threat, experienced a significant increase in its operations after remaining under the radar for over a year.

According to a report by VMware, 8Base employs encryption and “name-and-shame” tactics to coerce victims into paying ransoms. The group exhibits an opportunistic pattern, targeting victims across diverse industries.

67 attacks have been linked to 8Base as of May 2023, with approximately 50% of the victims belonging to the business services, manufacturing, and construction sectors, primarily located in the United States and Brazil.

The Threat Actors` Identity

The identity of the ransomware operators remains largely unknown, leaving its origins shrouded in mystery. However, the group has been active since at least March 2022, with the actors referring to themselves as “simple pentesters.”

Researchers have observed striking similarities between 8Base and another ransomware group called RansomHouse, in the sense that language used in ransom notes and data leak portals suggests direct copying from RansomHouse. However, 8Base does not openly advertise partnerships like its counterpart. Notably, a Phobos ransomware sample using the “.8base” file extension has been identified, hinting at a potential connection between 8Base and Phobos or the utilization of existing ransomware strains.

Experts speculate that 8Base represents a mature organization rather than a new group, given its speed and efficiency. The emergence of 8Base aligns with a broader trend of new ransomware variants entering the market, such as Big Head, CryptNet, Mallox, and Xollam. Established families like BlackCat, LockBit, and Trigona continue to enhance their capabilities, expanding their reach beyond Windows to infect Linux and macOS systems.

Furthermore, cybersecurity analysts highlight instances of threat actors adopting each other’s code and the use of different types of malware by affiliate groups. These practices contribute to the constant evolution of ransomware, with added features and support for multiple platforms being developed to maintain malicious activities.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube, for more cybersecurity news and topics.

Author Profile

Mihaela Popa


Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

Leave a Reply

Your email address will not be published. Required fields are marked *