Share Blog Post
Origin: April, 2022
Aliases: 8Base, EightBase, 8Base Ransomware
Targeted Sectors: Manufacturing, Construction, Healthcare, Professional Services, Retail, Finance, Information Technology
Targeted Countries: The U.S., Brazil, the U.K, China, India, Australia, CIS countries
Motivation: Ransom, Data theft, Double Extortion, Drive-by downloads
Common Infection Vectors: Phishing Emails, Exploit Kits
Introduction
Established in April 2022, the 8Base group became highly active in the summer of 2023. The emergence of the 8Base ransomware group has swiftly made waves in the cyber landscape with its aggressive tactics and widespread impact, particularly targeting Small and Medium-sized Businesses (SMBs) across various sectors. Evidence from leak sites, public profiles, and communication patterns suggests surface-level similarities between 8Base, Phobos, and RansomHouse.
Recently, 8Base, along with Akira, has stood out as the most active ransomware faction among the 25 newly identified operations from last year. Various cybersecurity researchers have affirmed that the group's current operations, characterized by speed and efficiency, are not indicative of a new entity but rather underscore the ongoing activities of a well-established and mature organization.
Initial Infection and Persistence
8Base initiates access through various means, commonly employing phishing emails or engaging Initial Access Brokers (IABs). It infiltrates systems discreetly by leveraging diverse malware families such as SmokeLoader and SystemBC, to bypass defenses effectively. Persistence is achieved through the Windows Startup folder and registry, along with suspicious child processes spawned by MS Office applications or scheduled task creation.
Data encryption
Post intrusion, 8Base begins scanning for files to encrypt, simultaneously skipping filenames containing strings, such as info.hta (ransom note), info.txt (ransom note), boot.ini, bootfont.bin, ntldr, ntdetect.com, io.sys, recov. Furthermore, it refrains from encrypting files inside the Caches folder, reasonable to avoid software issues.
Utilizing AES256 in CBC mode, the group swiftly encrypts all accessible local drives with standard extensions across local drives and network shares, appending ".8base" to filenames along with victim and attacker identifiers. This encryption process extends to attached shares or drive volumes. The ransomware additionally verifies file size, encrypting files below 1.5MB entirely. Conversely, larger files undergo partial encryption, presumably to expedite the process while maintaining efficiency.
Extortion and Leak Site
8Base employs double-extortion tactics and discloses the victims’ names on its leak site, pressurizing them to cough up a ransom payment. This approach aims to induce public humiliation and prompt the targeted entities to reform their behavior, ideally dissuading them from repeating similar actions.
The 8base ransomware group owns a TOR site for victim communication. Stolen data is disseminated through diverse file storage/sharing services including Gofile, Pixeldrain, files.dp.ua, AnonFiles, Anonym File, and Mega.
Victimology
Upon examining the targeted companies, it's evident that the majority of victims belong to the Professional Services sector, encompassing fields like accounting, law, legal Services, and business services. Additionally, industries such as manufacturing, construction, finance, insurance, and healthcare have experienced notable impacts from the attacks.
Between March 2022 - November 2023, the 8Base ransomware group targeted nearly 80 organizations worldwide, according to a VMware analysis. In June 2023, 8Base targeted nearly 80 victims within the preceding 30 days, trailing second only behind the LockBit 3 group which had a count of 100 victims.
In July, the 8BASE ransomware group claimed responsibility for targeting seven additional victims that comprised The Traffic Tech (Gulf), Telepizza, Quikcard Solutions Inc., Jadranka Group, Dental One, ANL Packaging, and BTU SA.
Other known victims of 8base are ToyotaLift Northeast, ANS Group, Aspect Structural Engineers, Stockdale Podiatry Group, and Oregon Sports Medicine.
Partnership and Affiliation
Some aspects of 8Base's operations echo past ransomware attacks associated with groups like RansomHouse and Phobos. While RansomHouse's nature of operations remains unclear, it's known for acquiring leaked data and extorting companies. Analysis of 8Base's communication and leak site suggests linguistic similarities to RansomHouse. Using the Doc2Vec model, researchers found a 99% match in ransom notes between 8Base and RansomHouse. Additionally, verbiage on 8Base's site mirrors that of RansomHouse. However, it's unclear if 8Base is a RansomHouse offshoot or a copycat. Unlike RansomHouse, 8Base doesn't openly seek partnerships and features distinct site layouts.
Separately, when comparing Phobos and the 8Base sample, it was discovered that 8Base utilized Phobos version 2.9.1 loaded with SmokeLoader. Since Phobos ransomware is available as a Ransomware-as-a-Service (RAAS), one can expect that.
Protection and Mitigation
Detecting 8Base ransomware demands a comprehensive strategy encompassing technical and operational measures to identify suspicious network activity. Employing anti-malware tools capable of recognizing ransomware variants, monitoring network traffic for anomalies, and conducting routine security assessments are key steps. However, that’s not sufficient.
As attackers keep changing their TTPs or IOCs, organizations need to improve and speed up their response strategies to detect and contain them. They must leverage AI-based threat intel analysis to effectively and efficiently analyze logs and initiate pre-emptive mitigation actions. Cyware’s AI-driven threat analysis and investigation platform helps SOC teams and incident responders draw contextual intelligence on related threat campaigns, predict attackers’ next actions, and observe threat patterns by correlating seemingly isolated threats and incidents with threat intelligence, thereby, reducing the overall MTTD and MTTR.
Conclusion
8Base signifies a fresh breed of ransomware collectives, characterized by heightened activity, aggressiveness, and sophistication. Its swift emergence and extensive victim count have positioned it as a prominent force in the ransomware landscape. Employing double-extortion methods, they encrypt data and threaten publication unless ransom demands are met, intensifying the impact on victims.
While the threat posed by 8Base is real and significant, it is not insurmountable. Companies can safeguard their operations by adopting robust cybersecurity protocols and deploying sophisticated detection mechanisms for faster threat identification and response.
Indicators of Compromise (IOCs)
URL
hxxp[:]//dexblog45[.]xyz/statweb255/
hxxp[:]//sentrex219[.]xyz/777/mtx5sfN.exe
hxxp[:]//sentrex219[.]xyz/777/skx2auB.exe
wlaexfpxrs[.]org
admhexlogs25[.]xyz
admlogs25[.]xyz
admlog2[.]xyz
dnm777[.]xyz
serverlogs37[.]xyz
dexblog[.]xyz
blogstat355[.]xyz
blogstatserv25[.]xyz
File name
3c1e.exe
d6ff.exe
9f1a.exe
8a26.exe
8b7f.exe
Domain name
wlaexfpxrs[.]org
wlaexfpxrs[.]org
admhexlogs25[.]xyz
admlogs25[.]xyz
admlog2[.]xyz
dnm777[.]xyz
serverlogs37[.]xyz
dexblog[.]xyz
blogstat355[.]xyz
blogstatserv25[.]xyz
IP
45.131.66[.]120
45.89.125[.]136
AV signatures
MSIL/Agent.LVF01F!tr
MSIL/Agent.MZV!tr.dldr
MSIL/Agent.OBG!tr
MSIL/Agent.OXE!tr.dldr
MSIL/Agent.PJK!tr.dldr
MSIL/Agent.POB!tr.dldr
MSIL/Agent.POG!tr.dldr
MSIL/Agent.POQ!tr.dldr
MSIL/Agent.PQI!tr.dldr
MSIL/Agent.PQW!tr.dldr
MSIL/Agent.PRI!tr.dldr
MSIL/Agent.PSL!tr.dldr
MSIL/Generik.BZNYUMT!tr
MSIL/GenKryptik.GFFH!tr
MSIL/GenKryptik.GJPU
MSIL/GenKryptik.GLEY!tr
MSIL/GenKryptik.GMQR!tr
MSIL/GenKryptik.GPJK!tr
MSIL/Kryptik.AJEE!tr
MSIL/Kryptik.AJJC!tr
MSIL/Kryptik.AJOO!tr
MSIL/Kryptik.AJOW!tr.ransom
MSIL/Kryptik.AJPE!tr
MSIL/Kryptik.AJPT!tr
MSIL/Kryptik.AJTY!tr
MSIL/Kryptik.AJVN!tr
MSIL/Kryptik.AJWN!tr
MSIL/Kryptik.AJWZ!tr
MSIL/Kryptik.BMG!tr
W32/FilecoderPhobos.C!tr.ransom
W32/GenKryptik.ERHN!tr
W32/Kryptik.HTXE!tr
W32/Kryptik.HUBC!tr
MD5
fba616f5dc56b1cd9c463c0b9da86578
9769c181ecef69544bbb2f974b8c0e10
20110ff550a2290c5992a5bb6bb44056
SHA1
5d0f447f4ccc89d7d79c0565372195240cdfa25f
3d2b088a397e9c7e9ad130e178f885feebd9688b
SHA256
bab3c87cac6db1700f0a0babaa31f5cd544961d1b9ec03fd8bcdeff837fc9755
afddecc37cdc1d196a1136e2252e925c0dcfe587963069d78775e0f174ae9cfe3
c6bd5b8e14551eb899bbe4decb6942581d28b2a42b159146bbc28316e6e14a64
5ba74a5693f4810a8eb9b9eeb1d69d943cf5bbc46f319a32802c23c7654194b0
e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f
b3725e7f3a53ea398fd0136e63c9c11d8c1addc778eece2ce1ac2ca2fc9cd238
c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec
4e4c154f0500990e897ca9650eafd3c6255ba4df3b4bc620c6ba27b718278392
159fa561bf9069418c5b2a33525ee12b16385f96680890a285d401b9f6781643
7e18ff461e3fc159c9b6634c9250600ea4c62da604885697c95d9bac794109b8
482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52
49699985414185b85cdf0a0292dfd1fb0e7b0b4925daa165351efed6e348335a
2cfd30a7982b90be60f83fe5f4132999ac50d0d63d9681d8d50c3c8271faa34b
8f60d17bbaefd66fe94d34ea3262a1e94b0f8f0702c437d19d3e292c72f1cedc
274c6ea98df4de5fc99661b0af876c3556c8a9125697efa3cbdc6fa81b80395d
427ac2bb816309c11b12c895787c862017d5725ed7de137b5eb10c03e89c0b8c
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
88f6a6455f92255a189526e36aeb581c95c28dc5e26357e7667f871444a336ba
fa620f37539b2c7e53d4c06de1b680d0eab5c3a5280b89d1700e014bfd320519
b3e80316dc1e01af60bcea7218ab5ebfe81432643d29ab46b22e3b11658606d5
03666df8dd1cd6f9e05e28a0660223d514351e05a8c61179f59e9e2c5e10d471
4fd3f6a16bccb7c9d4631241b6f8ebe58515fa2c593e4c938939492615869432
8c46f85644793051b8966d2edeeccdb8416aa04289dc0803d8da90fe6c98014c
abc4e3744b5a6b6ca367b81dabc9ff13d509d0bb5b4be6daa7d5419c57e5ea4b
2a270618cf65fcfb6476269b7c7bdbae84552d15a3da3e8907425e20ace4548a
01b2ec8085dace807c190f3f26d5e5ce45be0c0ecbd9c944303a36f323272226
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7
0c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75
f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f
f595f91a9966808cc85d11981e66e98043af9aeaaaa3893ef058b9a79c474f17
aedbddbf7494baaaf759a720d9cd17540d3c171b9cc52a02e0ef9a592bd9cd63
698b2a9cf9ce16f1cb5cff4576e902888cb14db7414b8e6ac4eb728f8c87d209
9f67b6057e5b5dc4b2ec3b370ca3062e0bed91a934b227911af2a3de17164ee5
2673be0eb2cc75805d67cc5876b98cbbe330c73a223be23fb3b41eb447ccd1c9
3a6cfcbf9ef082d94b7a8a0050f42761e115aa3b6ff26edb6c7daf4437fe9917
0867a5d4559cb7084765944e5ab71c67629e90a5fa15e66b7b3d47059c76cb78
33c861023479ddcaea82f2daee9d0394f304d0c33ba210f4c3c53a93cf9a474c
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9
bcdf23bb2e1635cb6639895094f7115af7bc9d07f276507af291cd9b7124e135
a1ee84c3183521e345b17502b38621201ff6edb86db81debec25d58dec5ad96c
667dfdc8b8527599735d93ba94d5e9a30442db7c9e780f103fea07172ee8c740
6e591d4815d6e7ec082696f002c843c6d9155e944a99cdd7dab3db372db6a877
d26de80e8b561adcf33ab3f2fe29f22c6eaddfbe247dcf9028463214e0f87e90
54b3641fc695438be989a08a9dca9f2a5d1ed9d538cb83cb597a17480d580c39
eb24adb38f36113fe71f942596c355afd59a2e83a0663daf32ae9bb30059732c
db85c5455b1adee337cf5b6728a9a4776e3645e50d0bf7ff410e34bb710cc42a
c68d9dcd8a3038bfe7c6c008149c8792b6033e6249286e4692e16dcb2bd90d41
05c29b528fccf8c2793663a6725c9bf680944ffa6a26129d7aaafd1980bd034c
a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5
2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c
91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4
d0604a3864899ac9bf0a07e47330b62a3e76b61335d6dac2e9b5a796b9fcc164
d560b84be808a9a324b995a05686237d645248369ce04069350d5b5d979d8365
fd59543a425d2159dfadba8efd4d40178b609ef123a8bc5cf00fe3afef95623d
25d4ec23c3618c7bdbef717c9ded9f7da560b3eb13d8d20f958fe3fbe5a1e37b
97a4d094f86b757b3fb0e189f2843a7af8d0ec43f9805214e89992528e83b5d7
f709d1f84e4f0a845ebb4a9fb1500aa2a9fd600e97cbea32ffc3e49c1084f467
a8d2d0ceaaf6685644b228a767ea6299ea2968f7cae79dd36abf4225b8593fdd
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763
fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6
790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198
454f9058a9fd9c266782389850d6142a0d04ce9d8042bc069ccd8d90d60be6d5
32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964
3cb4c0f6430f5216818c3438a18c96e7dcf5080129c9eea3f50735811c3e85eb
9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
681f180735ec833997bea4eb26c58f9c2e39980cd0a351e0b5cd99c502b33ae8
917f2b461c860f2ee8aed1147094b9273931bb9ee8040d609a485ec150dc3ec0
9f40b69060a52731107baec84a0c0f8a1bfc1a62e8471b9cd69509aade9cb7f1
d4cb20dba15d88c38c35be69fe04538b4f9bb0a12edb51ff23c0171b584edf08
f9805be70bc5c750e01a82742a66e6ffa9ade0ba2f80a97cadbb8fcaeb60dda7
4b891c6c3520d1d81e083f72d7ee9c92870ac6633f1f8419b2f50b4f90681ed6
78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce
e98c033e303e64af465b7d41d779a3780708c97822a6ebb7cf6ff3db64bc3416
2a50a42d3c44e6e3890a53228cb84f6fdb17e38b31422c68b8634a06d36cc324
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a
96a3909ca8917c14a7bd36839dd5abf5c9df9f69b314158e0110365113acf4bb
356799503f195db260e08a81d42a431b4ebd47cef94eddc96f24a0fd3e49d716
15c9373bc7a1cc990d6caa0f3262f6c4adeff93337f642f752b64947ae50cec9
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
45dcbfbb139c81af47b6953482c2d146f5192054c29a2343019e6f1d30912ff4
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2
505bc570566804139166c0f12ea773d1c459682cc13cfca823b2ddfbd48cd2e2
00e6061a54e469f6c957eda96a0267efded5f8a6a8d4006ea74ded74df5eb703
32b815ce14e6606e53b1ddaf39900c91f126e1d9ce9c5cab2fe825d6b2fa74d9
f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4
872ee36c064f5d9e7df3e5495c7de6aba4b26856556ba2ac124cdbb02693aa02
52661e5c4f8503541a5f361cfa8e4518f852907365e23fdfcc8472fea67df12b
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
8113218903975b81b22049796f201e06638595d2f6fadd82da06817bfbce85d7
281481eb8f1579206e55232754f47587a61bbe1460fc1f3b06157f31d214a290
c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30
89c65668def919cdf677df2774c5646540fee498031f7ecd5c7a6be7b62e9953
Tags
Posted on: February 20, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
