Sunday, December 10, 2023

Heavy-Hitting 8Base Ransomware Attacking Industries in Various Sectors

The sudden surge in the activity of 8base ransomware in June 2023 shows it is a well-established organization to execute attacks that alarms security professionals and industries.

The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms in Bitcoin.

They target small business services, manufacturing, and construction sectors and append the “.8base” extension on encrypted files.

The type of ransomware used by this group remains unknown, but the technique and ransom note used resembles other ransom groups.

Heavy-Hitting 8Base Ransomware

8base ransomware group, climbing themselves as “honest and simple pentester” has been active since March 2022.

Victims can uncover information on the attack by visiting a page dedicated to victims and its downloads. 

Figure : Screenshot of 8Base Ransom Group Leak Site

It includes a set of rules for negotiations, as well as several methods to contact 8Base. 

8Base ransomware group became one of the top two performing ransomware groups, right behind Lockbit.

Analysis conducted by VMware Carbon Black’s TAU and MDR-POC teams revealed some of its statistics similar to RansomHouse and Phobos.

Similarities Between 8Base and Ransomhouse

While analyzed through Doc2Vec,they have found both groups use similar ransom notes.

Doc2Vec is an unsupervised machine-learning algorithm that converts documents to vectors and can be used to identify similarities in documents.

Secondly,The language used in both the groups’ leak sites are nearly identical.

Additionally,The verbiage is copied word for word from RansomHouse’s welcome page to 8 Base’s welcome page. 

Ransom notes

Furthermore, their Terms of Service pages and FAQ pages are also similar.

The major difference between these two groups is that RansomHouse advertises its partnerships and is openly recruiting for partnerships, whereas 8Base is not.

The second major difference between the two threat actor groups is their leak pages.

RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn’t have its own signature ransomware as a basis for comparison. 

Similarities between 8Base and Phobos Ransomware

When comparing Phobos with 8base ransomware, both appends the encrypted files with the”.8base” extension.

​​Another similarity between Phobos and the 8Base sample revealed that 8Base was using Phobos ransomware version 2.9.1 with SmokeLoader for initial obfuscation on ingress, unpacking, and loading of the ransomware.

Although their ransom notes were similar, key differences included Jabber instructions and “phobos” in the top and bottom corners of the Phobos ransomware.

While 8Base has “cartilage” in the top corner, a purple background, and no Jabber instructions.

The format of the entire appended portion of 8base was the same as Phobos, which included an ID section, an email address, and then the file extension.

Additional analysis shows the 8Base sample had been downloaded from the domain admlogs25[.]xyz – which appears to be associated with SystemBC, a proxy and remote administration tool.  

SystemBC has been used by other ransomware groups as a way to encrypt and conceal the destination of the attackers’ Command and Control traffic.

From the analysis,it is clear that the 8base ransom group adopts other ransom group codes and TTP’s standards to establish their group,but it remains uncertain whether it stems from Phobos or RansomHouse.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.


Latest articles

WordPress POP Chain Flaw Exposes Over 800M+ Websites to Attack

A critical remote code execution vulnerability has been patched as part of the Wordpress...

Russian Star Blizzard New Evasion Techniques to Hijack Email Accounts

Hackers target email accounts because they contain valuable personal and financial information. Successful email...

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles