THREAT ACTOR

8Base

7.2
THREAT LEVEL
EMERGENCE DATE
Mar 2022
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Phobos (primary platform), operational similarities with RansomHouse

DEscription

8Base emerged as a prominent data extortion operation in late 2022, establishing itself as the largest known affiliate within the Phobos ransomware ecosystem. The group demonstrated sophisticated customization capabilities while maintaining independent branding and operational control. Operations targeted small to medium enterprises across multiple sectors through systematic vulnerability exploitation and data theft campaigns.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type of Actor: Ransomware-as-a-Service (RaaS) Affiliate

8base went inactive in February 2025, after an international law enforcement operation took down its data leak and negotiation sites, seized wallets and infrastructure, and arrested four operators.

The group operated as the largest known affiliate within the Phobos ransomware ecosystem, demonstrating sophisticated customization of the base platform. The group showed clear infrastructure overlap with RansomHouse operations, particularly in ransom note design and leak site architecture. Technical analysis revealed potential use of leaked Babuk builder components, though 8Base maintained independent branding and operational control.

Threat Level:
7.2

Origins and Methodology

8Base commands respect within threat intelligence circles for its operational efficiency and rapid scaling capabilities. Security researchers note the group's ability to maintain high attack volumes while avoiding the operational mistakes that often lead to early detection. Their methodology combines opportunistic targeting with sophisticated post-compromise behaviors, maximizing both infection rates and payment likelihood.

The group gained notoriety through its sudden activity surge in May 2023, when victim listings jumped from sporadic posts to over 130 organizations in just three months. This explosive growth, combined with technical indicators suggesting experienced operators, positions 8Base among the elite tier of ransomware threats. Their attacks demonstrate careful victim selection, focusing on organizations where operational disruption creates maximum pressure for rapid payment.

Within the ecosystem, 8Base represents the evolution of affiliate-based operations. Rather than developing entirely new malware, the group optimizes existing tools while innovating in areas like victim communication and data exfiltration. This pragmatic approach allows rapid deployment while maintaining the technical sophistication needed to bypass modern security controls.

What is the Evolution of 8Base Ransomware?
0.1
Formation

8Base emerged quietly in March 2022, initially conducting low-volume attacks while establishing infrastructure and refining tactics. The group likely formed from experienced ransomware operators seeking to leverage the proven Phobos codebase while maintaining operational independence.

0.2
EVOLUTION

The transformation from minor player to major threat occurred dramatically in 2023. March saw the launch of their dedicated leak site, signaling a shift to professional double-extortion operations. By May, 8Base had perfected their operational tempo, demonstrating the ability to compromise, encrypt, and extort dozens of organizations simultaneously. Technical improvements included enhanced evasion capabilities and streamlined encryption processes.

0.3
Lineage/Connections

Strong technical similarities link 8Base to the broader Phobos family, with additional connections to RansomHouse methodologies. The group's rapid operational maturity suggests leadership with prior ransomware experience, possibly from disbanded groups seeking new platforms.

Which Unique Techniques Does 8Base Use?

TECHNIQUE

DETAILS

Infection Vectors

8Base demonstrates flexibility in initial access, primarily utilizing spearphishing campaigns with malicious attachments, exploiting unpatched public-facing applications, and purchasing access from initial access brokers. The group shows particular affinity for targeting remote access vulnerabilities.

Target Selection

Organizations with limited security resources represent prime targets, especially small to medium businesses in healthcare, finance, and manufacturing sectors. Geographic concentration in the United States and Brazil reflects both opportunity and operational preferences, while consistent avoidance of CIS countries suggests Russian-speaking operators.

Operational Complexity

High-level coordination between affiliates enables simultaneous campaigns against multiple targets. The group employs sophisticated evasion techniques, custom encryption routines, and professional negotiation tactics that indicate experienced leadership and well-trained affiliates.

Key Features & Technical Details

FEATURE

DETAILS

Encryption Method

AES-256 in CBC mode, optimized for speed with partial encryption of large files

File Extension

.8base appended to encrypted files with victim ID embedded

Double Extortion

Pre-encryption data theft combined with threat of public release via Tor site

Platform Support

Primarily Windows-focused with reported Linux capabilities

Ransom Demands

Range from thousands to hundreds of thousands USD, Bitcoin exclusive

Negotiation Portal

Tor-based chat platform with professional communication protocols

Persistence Methods

Registry modifications, startup folder entries, scheduled tasks

Defense Evasion

Disables security tools, deletes shadow copies, modifies boot configuration

Activities

Multiple sectors containing small to medium enterprises fell victim to 8Base attacks, as the group specifically sought out organizations lacking cybersecurity resources and incident response capabilities. The group maintained consistent attack volumes through 2022-2024 before experiencing operational disruption following law enforcement action. Attack patterns revealed systematic exploitation of common vulnerabilities and misconfigurations affecting smaller organizations.

Which Industries Are Most Vulnerable to 8Base?

Healthcare organizations face disproportionate targeting due to critical data sensitivity and operational pressure. Finance sector victims attract 8Base through high-value data and regulatory compliance concerns that increase payment likelihood. Manufacturing companies suffer from just-in-time operational models that amplify encryption impact.

Small to medium businesses across all sectors remain particularly vulnerable due to limited security budgets and incident response capabilities. These organizations often lack comprehensive backup strategies and security monitoring that might detect 8Base's initial compromise activities. The group specifically seeks targets where the cost of downtime exceeds ransom demands, creating favorable negotiation dynamics.

HAL Most Recent Attacks

Modus Operandi

Attacks are executed through a refined kill chain that balances automation with manual oversight. Initial compromise typically occurs through weakly secured remote services or phishing campaigns, followed by careful reconnaissance to identify high-value data. Upon gaining access, the group deploys SmokeLoader and SystemBC RAT for execution and control, establishing their foothold through PowerShell scripts for reconnaissance. The group demonstrates patience during lateral movement phases, often dwelling in networks for days while mapping resources and disabling security controls.

Details

Spearphishing attachments (T1566.001), exploitation of public applications, RDP brute force, initial access broker purchases

Details

PowerShell scripts for reconnaissance, automated data discovery scripts

Details

SmokeLoader deployment, SystemBC RAT installation

Details

Defender disabling via WMIC, firewall deactivation, shadow copy deletion, process termination

Details

Mimikatz for credential dumping, exploitation of unpatched local vulnerabilities

Details

SystemBC C2 servers operate on standard HTTPS ports (443/TCP), Additional C2 on port 8443/TCP for backup communications

Details

RDP tunneling, SMB propagation, Cobalt Strike beacons for network traversal

Details

Compression and staging before transfer, use of legitimate cloud services

Details

Registry run keys (T1547.001), startup folder modifications, scheduled task creation

Details

Focus on financial records and intellectual property, operational disruption through encryption

Details

AES-256 encryption deployment, optimized for speed with partial encryption of large files

Details

Ransom note distribution, Tor-based negotiation portal, range from thousands to hundreds of thousands USD, Bitcoin exclusive

Details

System recovery disabling, shadow copy deletion

Indicators of Compromise (IOCs)

INDICATOR

DETAILS

File Hashes

SmokeLoader variant: 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c (SHA-256)
Persistence module: EDDD.exe (multiple variants observed)
Encryption component: F10A.exe (version-dependent hashes)

IP Addresses

SystemBC C2 servers operate on standard HTTPS ports (443/TCP)
Additional C2 on port 8443/TCP for backup communications

Domains/URLs

Primary contact: rexsdata[.]pro (ransom note communications)
Multiple Tor addresses for victim portals (randomized per campaign)

File Paths

%AppData%\Local\EDDD.exe (persistence)
%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp\ (autostart)
C:\Users\Public\Desktop\info.hta (ransom note)

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

Ivanti EPMM Authentication Bypass

CVE-2023-35078

9.8

Allows unauthenticated remote code execution

Veeam Backup & Replication

CVE-2023-27532

7.5

Enables unauthorized access to backup repositories