In recent findings by Cisco Talos researchers, the 8Base ransomware group has been detected employing a variant of the Phobos ransomware in their recent string of attacks. This Phobos variant, notably distributed via the SmokeLoader, has been actively targeting small and medium-sized enterprises across various industries, including finance, manufacturing, business services, and IT.
Notably, this variant exhibited specific features such as file encryption techniques below a designated size threshold and partial encryption for larger files, ensuring rapid encryption while hindering brute-force decryption efforts.
The analysis revealed a set of sophisticated functionalities embedded within the malware. These include the encryption of smaller files in full and partial encryption of larger files, network scanning capabilities within the local network, and persistent infiltration through the Startup folder and Run Registry key.
Moreover, the ransomware disrupts system recovery and backup processes while disabling shadow copies and Windows firewall, significantly impeding recovery efforts. Additionally, it employs a unique encryption methodology utilizing a different symmetric key for each file encrypted, rendering traditional brute-force decryption ineffective.
The examination also disclosed striking similarities between the code of 8Base samples and earlier Phobos variants. This suggests a potential shared code base and operational tactics between the 8Base group and past Phobos campaigns.
These revelations highlight the advanced tactics employed by 8Base, making decryption of their encrypted files significantly more challenging, thereby underscoring the need for heightened cybersecurity measures and vigilance against such sophisticated ransomware operations.