8Base is a group that appeared in 2022 but became much more visible and active in 2023. The group branded themselves as “pen testers” and adopted a multi-extortion model like many other ransomware groups, which involved a data leak website hosted on the Tor network where victims were listed and threatened with data leaks.
“Phobos’ Ransomware-as-a-Service (RaaS) model has made it particularly accessible to a range of criminal actors, from individual affiliates to structured criminal groups such as 8Base,” Europol said. “Taking advantage of Phobos’s infrastructure, 8Base developed its own variant of the ransomware, using its encryption and delivery mechanisms to tailor attacks for maximum impact.”
8Base hackers primarily used phishing emails for initial compromise then deployed the SystemBC remote access trojan for persistent access before deploying version 2.9.1 of the Phobos ransomware which uses SmokeLoader for payload deliver. Over time researchers observed similarities to RansomHub, another ransomware group.
