8base Ransomware: Hackers ramp up double extortion attacks in recent months and use encryption to leak data

By Caique Barqueta: The 8base ransomware group first came to prominence in early March 2022, remaining relatively quiet after only a few attacks. They act like the other ransomware groups, by means of double extortion (encryption + data leakage).

In mid-May and June 2023, the operation had a spike in activity against organizations from various sectors listing 107 organizations so far, sometimes announcing as many as 6 organizations per day.

8base's data leak site was published in May 2023, claiming to be "honest and straightforward," further adding that "We are honest and straightforward pentesters. We offer companies the fairest terms for the return of their data."

Figure 1 - 8base main page

They also add that "current vulnerabilities will never be used by the team for further attacks. If new vulnerabilities are discovered, the company will be notified.

Figure 2 - Rules presented by 8base

In addition to the blog, the Ransomware group has a Twitter profile.

Figure 3 - Twitter profile of the 8base group

Suspicions and identified analyses

The VMware team published a report stating that the 8Base ransomware had certain significant similarities RansomHouse ransomware group.

The first similarity noticed would be the comparison of the ransom note using the Doc2Vec neural language processing model. During the analysis, the 8base ransom note had a 99% match with the RansomHouse ransom note.

Figure 4 - Identified redemption notes

Also, the blog used by both groups of ransomware appear to be identical.

Figure 5 - Comparison of the ransomware blog

And not only the main blog page, but also the "Terms of Service" published by both groups.

Figure 6 - RansomHouse operators' Terms of Service or "Rules
Figure 7 - Terms or Services or "Rules" of the 8base operators
Figure 8 - Comparison of the FAQ on the ransomware blog

There are also certain differences, the first being the question of recruitment or partnerships, in which RansomHouse says it is in partnership with other agents, while 8base is not.

Also, the data leakage page of ransomware are distinct.

VMware analysis identified that a sample of the ransomware used by 8Base Ransomware, a sample of Phobos Ransomware with the file extension ".8base" was identified in encrypted files. One of the points that led researchers is that the 8base ransomware would be using varieties and ransomware to target its victims, and in the analysis performed it was found that they would be using Phobos Ransomware version 2.9.1 with SmokeLoader for initial obfuscation upon entry, unpacking, and loading the ransomware.  

Since the Phobos ransomware is available in Ransomware-as-a-Service (RaaS) format, actors can customize the pieces to their needs according to the ransom note.

The difference in the ransom notes was that the Phobos Ransomware adds Jabber instructions and the word "phobos" in the top corner of the window, while 8base has only "cartilage" written in the top corner and no Jabber instruction.

Figure 9 - HTA ransom note presented by 8base Ransomware
Figure 10 - HTA ransom note presented by the Phobos Ransomware

Although the 8base ransomware would have added its own brand customization by attaching ".8base" to the encrypted files, the format of the entire attached part was the same as Phobos, which included an ID section, an email address, and the file extension.

VMware's conclusion is that the 8base ransomware would be using several different types of ransomware, and there is no confirmation whether 8base is a variant or part of the Phobos or RansomHouse ransomware group, but it certainly uses different ransomware and is considered to be one of the most active ransomware in the first half of 2023.

Technical analysis of ransomware

Our intelligence team, Heimdall, has identified a sample of 8base ransomware with a signature (SHA-256: 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb). In consultation with Virus Total, it was possible to identify that the sample is considered potentially malicious by 53 of 70 security solutions, as well as presenting some characteristics of ransomware families, among which it is possible to identify being a variant of the Phobos ransomware family.

Figure 11 - Sample identified as malicious 53 out of 70

This sample was compiled on 05/31/2022, at 05:01:04 UTC using the Microsoft Visual C/C++ compiler with the 32-bit architecture.

Figure 12 - PE Header Information

It is noted that the 8base ransomware would be using a 2022 sample as an attack for organizations. It was also observed that the ransomware does not have a high entropy rate, remaining in the 6.0 range.

Figure 13 - Entropy of ransomware used by 8base

For execution, the ransomware required the user to be authorized via UAC (User Account Control), meaning that privileges were needed to perform its normal data encryption routine.

Upon execution the ransomware calls a subprocess which is responsible for creating two other processes, in this case we will present the process tree that the ransomware calls.

Figure 14 - Process trees involved with the 8base Ransomware

PID: 7612

Command usage:

\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

PID: 6032

Command usage:

vssadmin delete shadows /all /quiet

This command corresponds to deleting all existing shadow copies on a Windows system. Therefore, the command refers to:

  • vssadmin: Windows command line utility used to manage the shadow copies created by VSS;
  • delete shadows: indicates that you want to perform the deletion of the shadow copies;
  • /all: Specifies that all shadow copies should be deleted;
  • /quiet: Sets silent mode, i.e. will not display any messages or confirmations during the deletion process.

PID:184

Using WMIC (Windows Management Instrumentation Command-Line) to delete copies of Windows shadows.

wmic shadowcopy delete

PID: 10036

Used the Windows bcdedit tool to modify the Windows startup configuration related to command startup failures:

bcdedit /set{default} bootstatuspolicy ignoreallfailures

PID: 5404

Using the Windows bcdedit tool to disable the Windows automatic recovery option. If you use this setting as the "no" option, Windows will not automatically start the recovery environment when it encounters critical errors during startup.

bcdedit /set{default} recoveryenabled no

PID:1296

Using the wbadmin tool to delete the Windows Server Backup catalog on a Windows system using silent mode.

wbadmin delete catalog -quiet

In the sequence, PID 9000 is created by process PID9428, which performed the creation of other processes in the system, such as:

PID:4412

Using conhost.exe, via the command, force execution with the value 1 and the force option.

\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

PID:7564

The command that started the PID7564 process is a command used to disable the Windows firewall for the network profile currently in use. In general, this turns off the firewall for the specific network profile that is currently active, such as public, private, or domain.

This command requires the use of privileges to run successfully.

netsh advfirewall set currentprofile state off

PID: 4116

Use the command below to completely disable the Windows Firewall, however this command applies to older versions of Windows, such as Windows XP and Windows Server 2003.

netsh firewall set opmode mode=disable

This ransomware executes the routines of the aforementioned processes twice, probably in order to ensure that all commands have been executed correctly.

The ransomware uses the "WerFault.exe" using the parameters -u -p 3740 -s 952. This executable is associated with the Windows error reporting mechanism, i.e., it aims to capture and report information about errors and failures that occur in the operating system, already using such parameters we can state that it should run in user mode (-u), indicates the process that the tool should monitor (-p 3740) and indicates the session ID in which the process is running (-s 952).

C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 952

The ransomware performs its encryption process using the AES encryption algorithm and, upon completion, adds the extension file.id[12 random words].[support@rexsdata.pro].[8base ] to the end of each file, as well as dumping the ransom note into the directories it performed the encryption.

Figure 15 - info.txt file created in the directories

It also introduces the redemption note in HTA format into that system by creating 3 processes.

Figure 16 - HTA rescue score presented from the analyzed sample

TTPs - MITRE ATT&CK, Indicators of Commitment (IoC) and recommendations

TacticsTechniqueID
Execution TA0002Scheduled Task/JobT1053
Command and Scripting InterpreterT1059
Shared ModulesT1129
Persistence TA0003Scheduled Task/JobT1053
Boot or Logon Autostart ExecutionT1547
Registry Run Keys/ Startup FolderT1547.001
Privilege Escalation TA0004Scheduled Task/JobT1053
Boot or Logon Autostart ExecutionT1547
Registry Run Keys / Startup FilesT1547.001
Impersonation/Theft TokenT1134.001
Defense Evasion TA0005Obfuscated Files or InformationT1027
Modify RegistryT1112
Indirect Command ExecutionT1202
Software PackingT1027.002
MasqueradingT1036
Hidden Files and DirectoriesT1564.001
File DeletionT1070.004
Virtualization/Sandbox EvasionT1497
Disable or Modify ToolsT1562.001
Disable or Modify ToolsT1562.001
Hidden Files and DirectoriesT1564.001
Credential Access TA0006OS Credential DumpingT1003
Input CaptureT1056
Discovery TA0007Process DiscoveryT1057
Network Share DiscoveryT1135
System Information DiscoveryT1082
File and Directory DiscoveryT1083
Virtualization/Sandbox EvasionT1497
Security Software DiscoveryT1518.001
Lateral Movement TA0008Taint Shared ContentT1080
Collection TA0009Data from Local SystemT1005
Data StagedT1074
Input CaptureT1056
Impact TA0040Inhibit System RecoveryT1490
Data Encrypted for ImpactT1486
Data DestructionT1485
Table 1 - MITRE ATT&CK

ISH Technology performs the treatment of several indicators of compromise collected through open sources, closed sources and also from analyses performed by the Heimdall security team. In view of this, below we list all Indicators of Compromise (IOCs) related to the analysis of the artifact(s) in this report:

Analyzed Artifact Commitment Indicators
md5:0f281d2506515a64082d6e774573afb7
sha1:8949f27465913bf475fceb5796b205429083df58
sha256:2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
File name:mtx777.exe
Table 2 - IoCs related to the sample analyzed

Analyzed Artifact Compounding Indicators
md5:2809e15a3a54484e042fe65fffd17409
sha1:4a8f0331abaf8f629b3c8220f0d55339cfa30223
sha256:518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
File name:mtx777.exe
Table 3 - IoCs related to the VMware sample

20110ff550a2290c5992a5bb6bb44056
3d2b088a397e9c7e9ad130e178f885feebd9688b
e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
5d0f447f4ccc89d7d79c0565372195240cdfa25f
9769c181ecef69544bbb2f974b8c0e10
c6bd5b8e14551eb899bbe4decb6942581d28b2a42b159146bbc28316e6e14a64
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
afddec37cdc1d196a1136e2252e925c0dcfe587963069d78775e0f174ae9cfe3
Table 4 - IoCs related to the sample analyzed by VMware

Distribution URLs and C2 IP addresses:

wlaexfpxrs[.]org
admhexlogs25[.]xyz
admlogs25[.]xyz
admlog2[.]xyz
dnm777[.]xyz
serverlogs37[.]xyz
9f1a.exe
d6ff.exe
3c1e.exe
dexblog[.]xyz
blogstat355[.]xyz
blogstatserv25[.]xyz
Table 5 - IoCs related to delivery and C2 8base

Note: The links and IP addresses listed above may be active; be careful when manipulating these IoCs, to avoid clicking on them and becoming a victim of the malicious content hosted on the IoC.

In addition to the indicators listed above, measures can be taken to mitigate the infection of this malware, for example:

  • Perform regular backups: Store backup copies of all important data in a secure, disconnected location.
  • Performing software updates: Keep all software assets up to date, including operating systems and applications.
  • Using network protection such as firewalls, antivirus, and other security measures to protect your network.
  • Carrying out awareness work with employees, teaching them to recognize and avoid threats such as phishing and/or clicking on malicious links.
  • Regular monitoring of your network and systems to identify and quickly respond to any suspicious activity.
  • Creating and implementing an incident response plan, which in case of ransomware attacks can be used and will contain information such as issues related to backups and system recovery.

References

  • Heimdall by ISH Technology
  • Report VMware: 8Base Ransomware

Leave a Comment

Your e-mail address will not be published. Required fields are marked with *