Originally beginning its operations with smaller-scale campaigns in 2022, 8Base quickly evolved, making a significant mark by May 2023 with the launch of a TOR-based victim blog site to publicize their operations and demands. The group swiftly became a notable threat in the cybercrime world, employing a sophisticated multi-extortion model. This approach drew parallels with established ransomware families like Phobos and Hive, showcasing their capability to execute complex cyberattacks.

8Base has orchestrated targeted attacks across diverse sectors such as finance, manufacturing, information technology, and healthcare, predominantly affecting small and medium-sized businesses in the United States, Brazil, and the United Kingdom. They gain initial access through phishing emails or by purchasing entry from initial access brokers, subsequently delivering their ransomware as a later-stage payload in broader malware campaigns.

Once entrenched, 8Base employs double extortion tactics; they encrypt data and threaten to leak it unless a ransom is paid. Their customized variant of Phobos ransomware, marked by the “.8base” extension, showcases their technical adaptability and strategic use of Ransomware-as-a-Service (RaaS) offerings. This approach not only maximizes their disruptive impact but also significantly enhances the group’s leverage during extortion attempts.