8Base attacks ARPEGE

Incident Date: Jan 23, 2024

Attack Overview

VICTIM

ARPEGE

INDUSTRY

Business Services

LOCATION

France

ATTACKER

8base

FIRST REPORTED

January 23, 2024

Request Removal

8Base Ransomware Group's Attack on ARPEGE

8Base ransomware group claimed an attack on ARPEGE. The group obtained several pieces of corporate data, including invoices, receipts, accounting documents, personal data, certificates, employment contracts, confidentiality agreements, personal files, and other documents. ARPEGE (Audit, Revision, Patrimony, Evaluation, Management) is a chartered accountancy and auditing firm based in Rueil-Malmaison.

The 8Base ransomware gang first emerged in March of 2022 and has quickly become one of the most active groups today, having displayed a "massive spike in activity" in the second half of 2023, making them one of the most significant threats in the wild. The sophistication of the operation suggests they are an offshoot of experienced RaaS operators - most likely Ransomhouse, a data extortion group that first emerged in December of 2021 and was quite active in late 2022 and early 2023. Other researchers see a connection to the leaked Babuk builder.

Techniques and Operations

Like most groups today, 8Base engages in data exfiltration for double extortion and employs advanced security evasion techniques Including modifying Windows Defender Firewall for bypass. 8Base does not appear to have its own signature ransomware strain or maintain an RaaS for recruiting affiliate participation openly, but it is assessed they may service a group of vetted affiliate attackers privately.

Like RansomHouse, they appear to use a variety of ransomware payloads and loaders in their attacks, most prevalently customized Phobos with SmokeLoader. Attacks also included wiping of Volume Shadow Copies (VSS) to prevent rollback of the encryption. 8Base does not appear to be targeting Linux systems, maintaining a focus on Windows targets.

Recent Activities

In Q4-2023, 8Base continued using a new variant of the Phobos ransomware payload, typically delivered with SmokeLoader. 8Base does not appear to maintain a RaaS program open to affiliate attackers, appearing to be opportunistic in their choice of victims with a focus on “name and shame” via their leaks site to compel payment of the ransom demand.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started

First Name

Last Name

Phone Number

Buying Timeframe

halcyon.ai is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

I agree to receive other communications from halcyon.ai and acknowledge Halcyon's privacy policy.

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow halcyon.ai to store and process the personal information submitted above to provide you the content requested.

Back

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.