Skip to content

Hide Navigation Hide TOC

8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)

8Base emerged in early 2022 and rapidly escalated its ransomware operations by mid-2023, positioning itself as a “simple pen tester” while executing a relentless double-extortion scheme: encrypting files using AES-256 CBC mode (appending the “.8base” extension) and threatening to leak stolen data via a Tor-accessible leak site. The group leverages initial access methods such as phishing and SmokeLoader, disables security mechanisms like Volume Shadow Copy and firewalls, and deploys persistence via registry and startup entries. Targeting primarily small and medium-sized organizations across sectors such as manufacturing, finance, IT, and healthcare in regions including the U.S., Brazil, and Europe, 8Base has drawn comparisons to Phobos and RansomHouse for its tactics and ransom-note style. In early 2025, international law enforcement operations disrupted the group, resulting in the arrest of four key actors, seizure of servers, and warnings to hundreds of potential victims.

Cluster A Galaxy A Cluster B Galaxy B Level
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 8base (1cc6ada3-a632-54a4-9df1-f41287e3f566) Ransomware 1
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 2