The notorious 8BASE ransomware group has allegedly targeted four new victims, adding to the growing list of organizations falling prey to their data-extortion cybercrime operation
. This latest 8BASE ransomware attack includes three American companies and one Canadian firm – Employ Milwaukee, Horizon Spa & Pool Parts, Socadis, and Davis, Cedillo & Mendoza, Inc.
The 8BASE ransomware gang has been notorious for infiltrating various sectors, and this time, they have claimed cyberattacks on American companies and Canadian businesses, spanning business litigation, workforce development, pool and spa parts distribution, and Canadian book distribution.
8BASE Ransomware Attack: Four Alleged Victims
Davis, Cedillo & Mendoza, Inc., a firm specializing in business litigation and real estate transactions, along with Employ Milwaukee, a key player in Milwaukee County’s workforce development, have both allegedly fallen victim to the 8BASE ransomware attack.
Additionally, Horizon Spa & Pool Parts, a wholesale distributor of pool and spa components, and Socadis, a Canadian distribution company in the book industry, have also suffered from this cyber assault.
The threat actor’s posts on the dark web reveal the extent of the cyberattack on American companies, including the unauthorized access and release of sensitive information such as invoices, receipts, accounting documents, personal data, certificates, employment contracts, and other confidential files.
The Cyber Express has reached out to the affected organizations to gather more information on the 8BASE ransomware attack. However, as of now, no official statements or responses have been received, leaving the claims of this cyberattack on American and Canadian companies unverified.
The 8BASE Modus Operandi
Notably, despite the severity of the 8BASE ransomware attack, the websites of the targeted organizations remain fully functional, showing no visible signs of abnormalities. This suggests that the ransomware group may have strategically attacked the backend of the websites, leaving the front end unaffected.
The backend of a website contains critical information such as databases, server details, and activity logs, making it a prime target for cybercriminals aiming to gain unauthorized access to a company’s IT network.
It is important to clarify that 8BASE is not solely a ransomware operation but a data-extortion cybercrime group, distinguishing itself through the swift extortion of sensitive information.
The group has resurfaced with a notable spike in activity in May and June 2023, targeting small- to medium-sized businesses across various sectors, including professional, scientific, technical, manufacturing, construction, and healthcare.
8Base ransomware swiftly encrypts local drives and shares with AES256 in CBC mode, appending the .8base extension. It disables Windows Defender’s Advanced Firewall, removes Volume Shadow Copies, and alters the host’s startup policy.
Persistence is established in the Windows Startup folder and registry, with ransom notes in the text and .HTA formats left in affected folders.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
