• Home
  • News
  • "Moral" 8Base Ransomware Targets 2 New Victims

“Moral” 8Base Ransomware Targets 2 New Victims

Miklos Zoltan

By Miklos Zoltan . 3 February 2024

Founder - Privacy Affairs

Alex Popa

Fact-Checked this


2 new 8Base victims surfaced recently from Spain and US. HELPHONE and Midway Ford found themselves in hot water after 8Base breached their systems and stole important data.

  • Both victims are in the heavyweight category in their respective fields with a large pool of clients all over the world
  • Neither of them has commented on the recent attacks
  • The attack took place on February 2nd and the victims received a deadline to complete negotiations and release the ransom
  • The value of the ransoms is unknown

8Base is a more peculiar cybercriminal organization due to its MO and self-stated motivation. Despite compromising their targets’ systems and stealing valuable data, 8Base doesn’t necessarily encrypt it on the parent system.

Rather, they will simply clone it and threaten to release it publicly, should the victim refuse to pay. The reason for this tactic, in 8Base’s own words, is the willingness to “help” those with poor cybersecurity.

X showing the 8BASE attack on the 2 victims

That being said, 8Base too demands a ransom in exchange for deleting the files. If no consensus is reached during the negotiations or the victim refuses to pay, 8Base will release the stolen data publicly.

What to Know About 8Base

8Base first became public in March of 2022, but didn’t show any meaningful activity until almost a year later, in June of 2023. The organization planned and executed a number of ransomware attacks on US targets belonging to several sectors.

Despite claiming that they don’t use the double extortion practice, that’s not entirely true. Some victims have had their systems encrypted, although many have not had this problem.

As to the organization’s identity, internal structure, and operators, little-to-nothing is known. 8Base keeps its cards close to its chest. Despite that, some hints have been discovered in relation to the group’s potential identity, more specifically in how they operate.

Specialists have identified similarities between 8Base and other cybercriminal organizations like RansomHouse and Phobos. These groups also alternate ransomware attacks and data-extortion practices.

This may either suggest that 8Base is a puppet organization, liked to one of the 2, or that they influence each other. The latter is more likely, given that cybercriminal organizations often copy each other’s successful strategies.

They also join efforts to conduct larger operations against more secured targets.

Another important aspect of 8Base’s main MO is the tendency to sell the stolen data to friendly extortion groups. One of these groups is RansomHouse. RansomHouse then uses the data to blackmail the initial victim in addition to 8Base doing the same.

This type of partnership has the potential to be even more destructive than a simple ransomware breach. Even so, it’s been reported that most victims refuse to pay and decide to face the consequences associated with the data leak.

Despite its slow start, 8Base has quickly grown into a formidable force in the ransomware sphere. They have performed numerous attacks on high-profile targets, although not much is known about their success.

One thing is for sure, 8Base is worth keeping an eye on.

Our Mission

We believe security online security matters and its our mission to make it a safer place.

1 Comment

  • #StopRansomware: Phobos Ransomware – Benjamin Manem

    June 19, 2024 9:22 pm

    […] The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.[1],[2] […]

Leave a Comment