“It is up for debate whether RansomHouse is a real ransomware group or not; the group buys already leaked data, partners with data leak sites, and then extorts companies for money,” VMware said in its report.
Comparing the ransom notes between the two groups the researchers found a 99% match in linguistics. The language of both the groups’ leak sites was also identical.
“The verbiage is copied word for word from RansomHouse’s welcome page to 8Base’s welcome page,” VMware said.
The only two major difference between the groups was that RansomHouse advertises its partnerships and is openly recruiting for partnerships, whereas 8Base does not.
“Given the similarity between the two, we were presented with the question of whether 8Base may be an off-shoot of RansomHouse or a copycat,” VMware said, adding that RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn’t have its own signature ransomware as a basis for comparison. “Interestingly, while researching 8Base we weren’t able to find a single ransomware variant either,” VMware said.
Similarities with Phobos Ransomware
While searching for a sample of ransomware used by 8Base Ransom Group, researchers recovered Phobos sample using a “.8base” file extension on encrypted files. “A comparison of Phobos and the 8Base sample revealed that 8Base was using Phobos version 2.9.1 loaded with SmokeLoader,” VMware said.