Ransomware Attack on Crooker Construction by 8Base

Overview of the Attack

In May 2024, Crooker Construction, a prominent construction company based in Topsham, Maine, fell victim to a ransomware attack orchestrated by the 8Base ransomware group. The attackers exfiltrated a significant amount of sensitive data, including accounting documents, certificates, confidentiality agreements, employment contracts, invoices, personal data, and more. The stolen data has been published on the dark web, with the threat actors leveraging the exposure to coerce a ransom payment from Crooker Construction.

About Crooker Construction

Founded in the mid-1930s, Crooker Construction, LLC is one of Maine's most experienced earthwork, utility, and paving contractors. The company specializes in heavy civil construction, site development, and utility construction services, working on projects such as road construction, bridge building, and utility infrastructure development. Crooker Construction employs approximately 250 people and is recognized for its community involvement, supporting various charitable organizations and programs.

The 8Base Ransomware Group

The 8Base ransomware group has been active since April 2022 and is known for its aggressive double-extortion tactics. This approach not only involves encrypting a victim’s files but also stealing data and threatening to release it publicly if the ransom is not paid. 8Base primarily targets small and medium-sized businesses across various sectors, including business services, finance, manufacturing, and construction.

8Base utilizes a variant of the Phobos ransomware, often spreading through phishing emails, exploit kits, and drive-by downloads. The group has rapidly gained notoriety due to its high attack volume and sophisticated evasion techniques. Speculations suggest a potential connection between 8Base and the RansomHouse group or the use of the Babuk builder for their ransomware.

Impact and Vulnerabilities

The attack on Crooker Construction highlights the vulnerabilities in the construction sector, which, like many other industries, has increasingly become a target for cybercriminals. The reliance on digital systems for managing projects, financial transactions, and sensitive client data makes these companies attractive targets for ransomware groups.

8Base’s strategy of exfiltrating and publicly leaking data adds an additional layer of pressure on victims, aiming to damage their reputation and push them to pay the ransom. This approach underscores the importance of robust cybersecurity measures, including regular updates, employee training, and comprehensive incident response plans to mitigate the risks posed by such attacks.

Sources

• 8 Base Ransomware Victim: Crooker - RedPacket Security
• Detected: Crooker Construction, LLC falls victim to 8BASE Ransomware - Marco Ramilli
• All About That 8Base Ransomware Group: The Details - Cyberint
• Ransomware on the Move: 8Base, LockBit, Cactus, BianLian - Halcyon