8Base (Ransomware Group) – Threat Actor

Overview

Common targets

Target Countries: United States, Brazil, U.K., Australia, Germany, Canada, Spain, Italy, Belgium.

Target Sectors: Professional Services, Manufacturing, Construction, Finance, Healthcare,Transportation.

Attack Vectors

The 8Base ransomware is thought to spread via Phishing emails, Exploit kits.

Associated Groups

8Base and RansomHouse During the scrutiny of 8Base, researchers uncovered notable resemblances with another entity – RansomHouse. The authenticity of RansomHouse as a ransomware entity is a subject of debate, given its practice of acquiring leaked data, collaborating with data leak platforms, and subsequently extorting companies. Employing the Natural Language Processing model Doc2Vec, researchers identified a striking 99% match between the ransom notes of 8Base and RansomHouse, indicating significant similarities. Delving deeper, researchers conducted a side-by-side comparison of their respective leak sites, revealing a remarkable likeness in language. Notably, the verbiage on 8Base’s welcome page mirrored that of RansomHouse’s, suggesting a deliberate replication. Despite their striking similarities, two primary disparities emerged: RansomHouse actively solicits and recruits partnerships, while 8Base does not. The comparison between these threat actor groups raised the question of whether 8Base may be an offshoot or a copycat of RansomHouse. However, distinguishing between them posed challenges, as RansomHouse lacks a signature ransomware and relies on a variety of ransomware available on dark markets. Interestingly, the investigation into 8Base failed to identify a single ransomware variant, presenting contrasting ransom notes resembling those of RansomHouse and Phobos. 8Base and Phobos Ransomware 8Base and Phobos Ransomware In the pursuit of a ransomware sample linked to 8Base Ransom Group, investigators stumbled upon a Phobos variant employing a “.8base” file extension on encrypted files. Subsequent comparison unveiled that 8Base utilized Phobos ransomware version 2.9.1, leveraging SmokeLoader for initial obfuscation, unpacking, and loading of the ransomware. Given Phobos ransomware’s availability as a ransomware-as-a-service (RAAS), this revelation did not come as a surprise. Despite their shared modus operandi, discernible differences surfaced between the ransom notes of Phobos and 8Base, notably in Jabber instructions and branding elements. While Phobos prominently displayed “phobos” in the top and bottom corners, 8Base substituted it with “cartilage” in the top corner, along with a purple background and the absence of Jabber instructions. Despite appending “.8base” to encrypted files for branding purposes, 8Base’s format mirrored Phobos, encompassing an ID section, an email address, and the file extension. Further scrutiny revealed distinctive traits unique to 8Base Ransom Group, notably the origin of the 8Base sample from the domain admlogs25[.]xyz, linked to SystemBC, a proxy and remote administration tool. Known for encrypting and concealing attackers’ Command and Control traffic, SystemBC has been utilized by various ransomware groups, adding another layer to 8Base’s operational complexity.

How they operate

8Base ransomware payloads will enumerate all available local drives, encrypting standard data file extensions in a rapid and efficient manner using AES256 in CBC mode. Any attached share or drive volume will be subject to the encryption process as well. Once encrypted, files will have the .8base extension appended to them at times accompanied by the victim ID and attacker email address. Local firewall rules will be modified with the following command, issued by the ransomware: netsh advfirewall set currentprofile state off The above command allows the threat actor to evade Windows Defender’s Advanced Firewall capabilities. The ransomware will attempt to remove Volume Shadow Copies (VSS) via the following commands: vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete Payloads have been observed attempting either one or both of these methods: WMIC and VSSADMIN. In addition, BCDEDIT.EXE is used to modify the infected host’s startup policy, disabling recovery mode and related features via the following: bcdedit /set {default} bootstatuspolicy ignoreallfailures Persistence is achieved via entries in the Windows Startup folder as well as in the registry. For example, a copy of the ransom payload will be written to: %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ This is in addition to writing copies of itself to %AppData%\Local\ and other locations deemed necessary by the threat actors. 8Base ransom notes are written to affected folders as both text and .HTA files.

Significant Attacks

• 8Base ransomware group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransom. (June 2023)

References:

• 8Base Ransomware: A Heavy Hitting Player
• Dark Web Profile: 8Base Ransomware
• 8Base Ransomware: In-Depth Analysis, Detection, and Mitigation