Tuesday, May 28, 2024

Heavy-Hitting 8Base Ransomware Attacking Industries in Various Sectors

The sudden surge in the activity of 8base ransomware in June 2023 shows it is a well-established organization to execute attacks that alarms security professionals and industries.

The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms in Bitcoin.

They target small business services, manufacturing, and construction sectors and append the “.8base” extension on encrypted files.

The type of ransomware used by this group remains unknown, but the technique and ransom note used resembles other ransom groups.

Heavy-Hitting 8Base Ransomware

8base ransomware group, climbing themselves as “honest and simple pentester” has been active since March 2022.

Victims can uncover information on the attack by visiting a page dedicated to victims and its downloads. 

Figure : Screenshot of 8Base Ransom Group Leak Site

It includes a set of rules for negotiations, as well as several methods to contact 8Base. 

8Base ransomware group became one of the top two performing ransomware groups, right behind Lockbit.

Analysis conducted by VMware Carbon Black’s TAU and MDR-POC teams revealed some of its statistics similar to RansomHouse and Phobos.

Similarities Between 8Base and Ransomhouse

While analyzed through Doc2Vec,they have found both groups use similar ransom notes.

Doc2Vec is an unsupervised machine-learning algorithm that converts documents to vectors and can be used to identify similarities in documents.

Secondly,The language used in both the groups’ leak sites are nearly identical.

Additionally,The verbiage is copied word for word from RansomHouse’s welcome page to 8 Base’s welcome page. 

Ransom notes

Furthermore, their Terms of Service pages and FAQ pages are also similar.

The major difference between these two groups is that RansomHouse advertises its partnerships and is openly recruiting for partnerships, whereas 8Base is not.

The second major difference between the two threat actor groups is their leak pages.

RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn’t have its own signature ransomware as a basis for comparison. 

Similarities between 8Base and Phobos Ransomware

When comparing Phobos with 8base ransomware, both appends the encrypted files with the”.8base” extension.

​​Another similarity between Phobos and the 8Base sample revealed that 8Base was using Phobos ransomware version 2.9.1 with SmokeLoader for initial obfuscation on ingress, unpacking, and loading of the ransomware.

Although their ransom notes were similar, key differences included Jabber instructions and “phobos” in the top and bottom corners of the Phobos ransomware.

While 8Base has “cartilage” in the top corner, a purple background, and no Jabber instructions.

The format of the entire appended portion of 8base was the same as Phobos, which included an ID section, an email address, and then the file extension.

Additional analysis shows the 8Base sample had been downloaded from the domain admlogs25[.]xyz – which appears to be associated with SystemBC, a proxy and remote administration tool.  

SystemBC has been used by other ransomware groups as a way to encrypt and conceal the destination of the attackers’ Command and Control traffic.

From the analysis,it is clear that the 8base ransom group adopts other ransom group codes and TTP’s standards to establish their group,but it remains uncertain whether it stems from Phobos or RansomHouse.

“AI-based email security measures Protect your business From Email Threats!” – .


Latest articles

DDNS Service In Fortinet Or QNAP Embedded Devices Exposes Sensitive Data, Researchers Warn

Hackers employ DNS for various purposes like redirecting traffic to enable man-in-the-middle attacks, infecting...

PoC Exploit Released For macOS Privilege Escalation Vulnerability

A new vulnerability has been discovered in macOS Sonoma that is associated with privilege...

CatDDoS Exploiting 80+ Vulnerabilities, Attacking 300+ Targets Daily

Malicious traffic floods targeted systems, servers, or networks in Distributed Denial of Service (DDoS)...

GNOME Remote Desktop Vulnerability Let Attackers Read Login Credentials

GNOME desktop manager was equipped with a new feature which allowed remote users to...

Kesakode: A Remote Hash Lookup Service To Identify Malware Samples

Today marks a significant milestone for Malcat users with the release of version 0.9.6,...

Cisco Firepower Vulnerability Let Attackers Launch SQL Injection Attacks

 A critical vulnerability has been identified in Cisco Firepower Management Center (FMC) Software's web-based...

Hackers Exploit WordPress Plugin to Steal Credit Card Data

Hackers have exploited an obscure WordPress plugin to inject malware into websites, specifically targeting...

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles