Podcasts
Ransomware Leak Sites
8Base
Active Since
April 2022
Total Victims as of January 2024
263
Known Forum Aliases
N/A
Active Forum Accounts
N/A
Top Targeted Geographies
US, Brazil, UK
The 8Base dark web leak site appeared in June 2023 but the group is reported to have been active since early 2022.
Its activity accelerated in the summer of 2023 and since then it has been consistent in posting victims, quickly becoming one of the most active groups we track (with more than 260 total victims at the time of publication).
Its top three targeted industries are commercial & professional services, capital goods, and healthcare equipment & services. 8Base uses double extortion tactics – as well as encrypting an organization’s data it also exfiltrates data and threatens to leak it on its dark web leak site.
8Base uses a variant of Phobos ransomware in its attacks, modified to append a “.8base” extension onto encrypted files. Researchers have also noted that 8Base’s leak site bears many textual similarities to the leak site used by data extortion operation RansomHouse, which might suggest a connection between the two groups.
In September 2023, the cybersecurity researcher Brian Krebs demonstrated that at least some of the 8Base leak site code was written by a 36-year-old programmer residing in the capital city of Moldova.
Related Content
Videos
How can you identify ransomware operators targeting you on the dark web?
Knowledge Base
Vice Society
Vice Society stopped posting victims to its dark web leak site in June 2023 and went offline in December. Some security analysts note similarities in the TTPs of Vice Society and those used by Rhysida.
Knowledge Base
LockBit
LockBit was the most active ransomware group by number of listed victims on its dark web leak site in 2022 and 2023. In February 2024 its leak site was seized in Operation Cronos.
Knowledge Base
Cl0p
Cl0p is notable for its approach of using vulnerabilities in supply chain software to target multiple organizations, announcing them in a batch at a later date.
Knowledge Base
Akira
Akira appears to be a novel ransomware, written in C++, with versions targeted both at Windows machines and Linux operating systems. It has quickly become one of the most prolific ransomware groups.
Knowledge Base
BlackCat
The RaaS group BlackCat (also known as ALPHV or Noberus) is believed to include developers and money launderers from the former DarkSide ransomware group, most infamous for the Colonial Pipeline attack.
