The 8BASE ransomware group is reportedly behind cyberattacks on four organizations, marking an expansion of their data-extortion operations. The targeted entities include Employ Milwaukee and Davis, Cedillo & Mendoza, Inc. in the United States, involved in workforce development and business litigation, respectively, and Horizon Spa & Pool Parts and Socadis in Canada, engaged in pool and spa parts distribution and book distribution.
Despite the severity of the 8BASE ransomware attacks, the affected organizations’ websites show no visible signs of abnormalities on the front end, suggesting a strategic focus on the backend systems. This approach allows the ransomware group to target critical information such as databases, server details, and activity logs, potentially gaining unauthorized access to a company’s IT network while keeping the outward-facing website intact.
The 8BASE ransomware group is distinct for its data-extortion tactics, swiftly encrypting local drives and shares using AES256 in CBC mode and appending the “.8base” extension. The group disables Windows Defender’s Advanced Firewall, removes Volume Shadow Copies, alters the host’s startup policy, establishes persistence in the Windows Startup folder and registry, and leaves ransom notes in text and .HTA formats in affected folders.
While the extent and impact of the attacks are yet to be officially confirmed by the affected organizations, the 8BASE ransomware group has previously targeted small- to medium-sized businesses across various sectors. Their modus operandi involves rapid data encryption, disrupting cybersecurity measures, and swiftly extorting sensitive information from their victims.