8Base attacks Bieler+Lang GmbH

Incident Date: Apr 22, 2024

Attack Overview
VICTIM
Bieler+Lang GmbH
INDUSTRY
Energy, Utilities & Waste
LOCATION
Germany
ATTACKER
8base
FIRST REPORTED
April 22, 2024

8Base Ransomware Group Attacks Bieler+Lang GmbH

Overview

The 8Base ransomware group has attacked Bieler+Lang GmbH and claims to have accessed sensitive information, including invoices, receipts, accounting documents, personal data, certificates, and a “huge amount of personal information.” Bieler+Lang offers a complete line of rugged, reliable, and hazardous area-rated fixed-point gas detectors to serve as a first line of defense against gas threats. Applications include oil and gas, petrochemicals, specialty chemicals, industrial refrigeration, water and wastewater treatment, plastics and fibers, pulp and printing, agriculture, manufacturing and other industrial processes.

Background

The 8Base ransomware gang first emerged in March of 2022 and has quickly become one of the most active groups today, having displayed a "massive spike in activity" in the second half of 2023. About half of the 8Base targets are in the business services, manufacturing, and construction sectors. The sophistication of the operation suggests they are an offshoot of experienced RaaS operators - most likely Ransomhouse, a data extortion group that first emerged in December of 2021 and was quite active in late 2022 and early 2023. Other researchers see a connection to the leaked Babuk builder. Like most groups today, 8Base engages in data exfiltration for double extortion and employs advanced security evasion techniques, including modifying Windows Defender Firewall for bypass.

Operations

8Base quickly ascended the ranks of active ransomware operators with a high volume of attacks in late spring and throughout the summer of 2023, making them one of the most active groups. It is unclear how much 8Base typically demands for a ransom. 8Base does not appear to have its own signature ransomware strain or maintain a RaaS for recruiting affiliate participation openly, but it is assessed it may service a group of vetted affiliate attackers privately. Like RansomHouse, they appear to use a variety of ransomware payloads and loaders in their attacks, most prevalently customized Phobos with SmokeLoader. Attacks also include wiping of Volume Shadow Copies (VSS) to prevent rollback of the encryption. 8Base does not appear to be targeting Linux systems, but it maintains a focus on Windows targets. 8Base tends to target organizations that provide Business Services as well as those in the Manufacturing, Financial, and Information Technology sectors. 8Base does not appear to maintain a RaaS program, appearing to be opportunistic in their choice of victims, with a focus on “name and shame” via their leaks site to compel payment of the ransom demand.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.