8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)

8Base emerged in early 2022 and rapidly escalated its ransomware operations by mid-2023, positioning itself as a “simple pen tester” while executing a relentless double-extortion scheme: encrypting files using AES-256 CBC mode (appending the “.8base” extension) and threatening to leak stolen data via a Tor-accessible leak site. The group leverages initial access methods such as phishing and SmokeLoader, disables security mechanisms like Volume Shadow Copy and firewalls, and deploys persistence via registry and startup entries. Targeting primarily small and medium-sized organizations across sectors such as manufacturing, finance, IT, and healthcare in regions including the U.S., Brazil, and Europe, 8Base has drawn comparisons to Phobos and RansomHouse for its tactics and ransom-note style. In early 2025, international law enforcement operations disrupted the group, resulting in the arrest of four key actors, seizure of servers, and warnings to hundreds of potential victims.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	1
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c)	Attack Pattern	8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	1
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e)	Attack Pattern	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	1
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	1
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	1
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	1
8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	1
Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c)	Attack Pattern	8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	8base (1cc6ada3-a632-54a4-9df1-f41287e3f566)	Ransomware	1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	2