Researchers from Cisco Talos recently shed light on the latest ransomware activities orchestrated by the 8Base ransomware group. Leveraging a new variant of the notorious Phobos ransomware, these threat actors have been intensifying their financially motivated attacks, prompting cybersecurity experts to closely examine their methods.
Meet the 8Base Ransomware Group
According to Guilherme Venere, a security researcher at Cisco Talos, the group’s Phobos variants are predominantly distributed through SmokeLoader, a backdoor trojan known for deploying additional payloads. However, in the case of 8Base campaigns, the ransomware component is uniquely embedded within encrypted payloads, a deviation from the typical modus operandi of such malware.
The 8Base ransomware first drew attention in mid-2023, marked by a significant surge in activity observed by the cybersecurity community. Despite its recent prominence, indications suggest that 8Base has been active since at least March 2022. A previous analysis by VMware Carbon Black identified parallels between 8Base and RansomHouse, further complicating the attribution of these attacks.
Cisco Talos’ findings reveal that SmokeLoader serves as a launchpad for executing the Phobos payload in 8Base attacks. Once initiated, the ransomware takes deliberate steps to establish persistence, terminate processes hindering file access, disable system recovery options, and eradicate backups and shadow copies.
Encryption Methods
One distinctive characteristic of 8Base is its encryption strategy, involving full encryption of files below 1.5 MB and partial encryption for larger files to expedite the encryption process. Additionally, the malware incorporates a complex configuration with over 70 options, encrypted using a hard-coded key. This configuration unlocks advanced features, including User Account Control (UAC) bypass and reporting victim infections to an external URL.
Of particular interest is the presence of a hard-coded RSA key, safeguarding the per-file AES key used in encryption. According to Talos, knowledge of this RSA key could potentially facilitate the decryption of files locked by Phobos variants since 2019.
The Phobos ransomware, traced back to its emergence in 2019, is an evolved form of the Dharma (Crysis) ransomware. Operating as a ransomware-as-a-service (RaaS), Phobos exhibits central management with variations sold to affiliates using the same RSA public key. The regularly updated extension block lists indicate a concerted effort to prevent interference between Phobos affiliates.
Ransomware Becoming More Sophisticated
These revelations come at a time when the cybersecurity landscape is witnessing the emergence of new, sophisticated ransomware products. The disclosure of UBUD, a C-developed ransomware with robust anti-detection measures, and the BlackCat ransomware group’s formal complaint to the U.S. Securities and Exchange Commission (SEC) highlight the escalating tactics employed by threat actors.