Notice
 

This trend report on the deep web and dark web of March 2024 is sectioned into Ransomware, Forums & Black Markets, and Threat Actors. We would like to state beforehand that some of the content has yet to be confirmed to be true.

 

Major Issues

 

1) Ransomware

 

 

(1) 8Base
 

The 8Base ransomware gang first became known in May 2023, and depending on their activities, it is either called a ransomware gang or a data extortion gang. This is because when the gang first surfaced, it only extorted data without using ransomware. The gang does not possess its own ransomware and is known to use a variant of the Phobos ransomware. This type of cybercrime group is generally categorized according to the main attack techniques they employ often, so 8Base is usually referred to as a ransomware gang. 

On April 3, 2024, the ransomware gang announced a Korean paint manufacturer as a victim and posted the company on its dedicated leak site (DLS). As of April 5, the gang is threatening to release the company’s data.

After the date they designated passed, the gang posted an external link to an online file distribution platform where the exfiltrated data was to their DLS,

 

Figure 1. The company listed as a victim on the 8Base Ransomware gang’s DLS

The gang claims to have exfiltrated the following data from the affected company.

• Invoice
• Receipts
• Accounting documents
• Personal data
• Certificates
• Employment contracts
• Large volumes of confidential information
• Confidentiality agreements
• Personal files
• Others

 

However, at that time, the exfiltrated files did not exist on the online file platform link provided by the gang (the folder was marked as empty). In early May, when this report was written, the link to the file-sharing platform had been removed.

 

Figure 2. External file-sharing platform where the ransomware gang released the exfiltrated data

 

This breach is a typical tactic of ransomware gangs. First, they attack companies, steal data, and then leave a threatening message on their DLS. They then threaten to release the data if the company refuses to comply with their demands. However, the gang in this case did not actually release the data.

There are a few possibilities as to why the gang decided to do so. First, it could be that the gang was actually unable to exfiltrate data. Normally, ransomware gangs provide a part of the exfiltrated data as proof.

 However, the 8Base gang is generally known to not provide such evidence. Secondly, there is a possibility that the affected company has complied with the demands, but this does not seem likely. Lastly, it may have been that there was simply no data to release or that the gang had already obtained its goals from this incident.

Whatever the case, this incident reminds us of the risks of ransomware. Companies must enforce security measures and also have a data backup system. They must also have a response manual against these attacks. Ransomware still poses a great threat to corporate environments.