Threat Actor Profile
High
Cybercriminal
Description
The 8base Ransomware group made its first appearance in early March 2022, remaining somewhat quiet after the attacks. This group operates like other ransomware actors, engaging in double extortion. However, in mid-May and June 2023, the ransomware operation saw a spike in activity against organizations from various sectors, listing 131 organizations in just 3 months. The 8base data leak site was created and made available in March 2023, claiming honesty and simplicity in its discourse. VMware published a report on 8base, drawing some similarities with the ransomware group `RansomHouse`, pointing out resemblances such as the website used by 8base and the ransom notes presented in its attacks. Interestingly, the 8base Ransomware group does not have its own ransomware developed by the group. Instead, the actors took advantage of other leaked ransomware builders to customize the ransom note and present it to the victim organization as 8base's operation. Source : https://github.com/crocodyli/ThreatActors-TTPs
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (28)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'The 8base Ransomware group made its first appearance in early '
'March 2022, remaining somewhat quiet after the attacks. This '
'group operates like other ransomware actors, engaging in '
'double extortion. <BR> However, in mid-May and June 2023, the '
'ransomware operation saw a spike in activity against '
'organizations from various sectors, listing 131 organizations '
'in just 3 months.<BR> The 8base data leak site was created '
'and made available in March 2023, claiming honesty and '
'simplicity in its discourse.<BR> VMware published a report on '
'8base, drawing some similarities with the ransomware group '
'`RansomHouse`, pointing out resemblances such as the website '
'used by 8base and the ransom notes presented in its '
'attacks.<BR> Interestingly, the 8base Ransomware group does '
'not have its own ransomware developed by the group. Instead, '
'the actors took advantage of other leaked ransomware builders '
'to customize the ransom note and present it to the victim '
"organization as 8base's operation.<BR>Source : "
'https://github.com/crocodyli/ThreatActors-TTPs',
'firstseen': '2022-04-03T00:00:00+00:00',
'group': '8base',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2025-02-01T12:49:21.803823+00:00',
'locations': [{'available': False,
'fqdn': 'xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion',
'slug': 'http://xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion',
'title': 'This site has been seized',
'type': 'DLS'},
{'available': False,
'fqdn': 'xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion',
'slug': 'http://xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion',
'title': 'This site has been seized',
'type': 'DLS'},
{'available': False,
'fqdn': 'basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion',
'slug': 'http://basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion/',
'title': 'Home',
'type': 'DLS'},
{'available': False,
'fqdn': '92.118.36.204.',
'slug': 'http://92.118.36.204',
'title': 'Home',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 3,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion',
'slug': 'http://xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion',
'title': 'This site has been seized',
'type': 'DLS'},
{'available': False,
'fqdn': 'xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion',
'slug': 'http://xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion',
'title': 'This site has been seized',
'type': 'DLS'},
{'available': False,
'fqdn': 'basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion',
'slug': 'http://basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion/',
'title': 'Home',
'type': 'DLS'},
{'available': False,
'fqdn': '92.118.36.204.',
'slug': 'http://92.118.36.204',
'title': 'Home',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 3,
'ransomware_live_group': '8base',
'tools': {'CredentialTheft': ['LaZagne',
'Mimikatz',
'NirSoft VNCPassView',
'NirSoft WebBrowserPassView',
'PasswordFox',
'ProcDump'],
'DefenseEvasion': ['GMER',
'PCHunter',
'ProcessHacker'],
'DiscoveryEnum': [],
'Exfiltration': ['RClone'],
'LOLBAS': ['PsExec'],
'Networking': [],
'Offsec': [],
'RMM-Tools': []},
'url': 'https://www.ransomware.live/group/8base',
'victims': 455,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['LaZagne',
'Mimikatz',
'NirSoft VNCPassView',
'NirSoft WebBrowserPassView',
'PasswordFox',
'ProcDump'],
'DefenseEvasion': ['GMER', 'PCHunter', 'ProcessHacker'],
'DiscoveryEnum': [],
'Exfiltration': ['RClone'],
'LOLBAS': ['PsExec'],
'Networking': [],
'Offsec': [],
'RMM-Tools': []},
'ttps': [{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_id': 'T1053',
'technique_name': 'Scheduled Task/Job'},
{'technique_id': 'T1059',
'technique_name': 'Command and Scripting '
'Interpreter'},
{'technique_id': 'T1129',
'technique_name': 'Shared Modules'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_id': 'T1053',
'technique_name': 'Scheduled Task/Job'},
{'technique_id': 'T1547',
'technique_name': 'Boot or Logon Autostart '
'Execution'},
{'technique_id': 'T1547.001',
'technique_name': 'Registry Run Keys/Startup '
'Folder'}]},
{'tactic_id': 'TA0004',
'tactic_name': 'Privilege Escalation',
'techniques': [{'technique_id': 'T1053',
'technique_name': 'Scheduled Task/Job'},
{'technique_id': 'T1547',
'technique_name': 'Boot or Logon Autostart '
'Execution'},
{'technique_id': 'T1547.001',
'technique_name': 'Registry Run Keys/Startup Files'},
{'technique_id': 'T1134.001',
'technique_name': 'Token Impersonation/Theft'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_id': 'T1027',
'technique_name': 'Obfuscated Files or Information'},
{'technique_id': 'T1112',
'technique_name': 'Modify Registry'},
{'technique_id': 'T1202',
'technique_name': 'Indirect Command Execution'},
{'technique_id': 'T1027.002',
'technique_name': 'Software Packing'},
{'technique_id': 'T1036',
'technique_name': 'Masquerading'},
{'technique_id': 'T1564.001',
'technique_name': 'Hidden Files and Directories'},
{'technique_id': 'T1070.004',
'technique_name': 'File Deletion'},
{'technique_id': 'T1497',
'technique_name': 'Virtualization/Sandbox Evasion'},
{'technique_id': 'T1562.001',
'technique_name': 'Disable or Modify Tools'}]},
{'tactic_id': 'TA0006',
'tactic_name': 'Credential Access',
'techniques': [{'technique_id': 'T1003',
'technique_name': 'OS Credential Dumping'},
{'technique_id': 'T1056',
'technique_name': 'Input Capture'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_id': 'T1057',
'technique_name': 'Process Discovery'},
{'technique_id': 'T1135',
'technique_name': 'Network Share Discovery'},
{'technique_id': 'T1082',
'technique_name': 'System Information Discovery'},
{'technique_id': 'T1083',
'technique_name': 'File and Directory Discovery'},
{'technique_id': 'T1497',
'technique_name': 'Virtualization/Sandbox Evasion'},
{'technique_id': 'T1518.001',
'technique_name': 'Security Software Discovery'}]},
{'tactic_id': 'TA0008',
'tactic_name': 'Lateral Movement',
'techniques': [{'technique_id': 'T1080',
'technique_name': 'Taint Shared Content'}]},
{'tactic_id': 'TA0009',
'tactic_name': 'Collection',
'techniques': [{'technique_id': 'T1005',
'technique_name': 'Data from Local System'},
{'technique_id': 'T1074',
'technique_name': 'Data Staged'},
{'technique_id': 'T1056',
'technique_name': 'Input Capture'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_id': 'T1490',
'technique_name': 'Inhibit System Recovery'},
{'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'},
{'technique_id': 'T1485',
'technique_name': 'Data Destruction'}]}],
'url': 'https://www.ransomware.live/group/8base',
'victims': 455,
'vulnerabilities': []}