The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery.
The speed and efficiency of 8Base’s current operations do not indicate the start of a new group but rather signify the continuation of a well-established mature organization. Based on the currently available information, certain aspects of 8Base’s current operations look eerily similar to the ransomware operations we have seen in the past.
8Base Ransomware: What We Know
Figure 1: Screenshot of 8Base Ransom Group Leak Site
8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023. Describing themselves as “simple pen testers”, their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. What is interesting about 8Base’s communication style is the use of verbiage strikingly familiar to another known group, RansomHouse.
Figure 2: Chart of 8Base Ransom Group Activity from March 2022 – June 2023.
Contact information provided on the leak site included the following:
- Telegram Channel: https://t[.]me/eightbase
- Twitter: @8BaseHome
Figure 3: Screenshot of 8Base Ransom Group Twitter.
8Base Ransom Group’s top targeted industries include but are not limited to Business Services, Finance, Manufacturing, and Information Technology.
Figure 4: Chart of 8Base Ransom Group’s Top Targeted Industries
Although the 8Base Ransom Group is not necessarily a new group, their spike in activity recently has not gone unnoticed. Even within the past 30 days, it is within the top 2 performing ransom groups. Not much was known publicly about the kind of ransomware used by 8Base other than the ransom note and that it appends encrypted files with the extension “.8base”.
Figure 5: Chart comparing 8Base Ransom Group victimization statistics with other known Ransom Groups.
Analysis conducted by VMware Carbon Black’s TAU and MDR-POC teams revealed interesting finds and begs the question: “Whose ransom is it anyway?”
The Mystery of “Whose ransom is it anyway?”
8Base and RansomHouse
While reviewing 8Base, we noticed there were significant similarities between this group and another group – RansomHouse. It is up for debate on whether RansomHouse is a real ransomware group or not; the group buys already leaked data, partners with data leak sites, and then extorts companies for money.
The first similarity was identified during a ransom note comparison project utilizing Natural Language Processing model Doc2Vec. Doc2Vec is an unsupervised machine learning algorithm that converts documents to vectors and can be used to identify similarities in documents. During this project, the ransom note of 8base had a 99% match with RansomHouse ransom note. For comparison, we have provided a snippet of the ransom notes below:
Figure 6: 8Base (blue) compared to RansomHouse (red) ransom notes
Diving deeper, we did a side-by-side comparison of their respective leak sites. Again, we found the language of the two being nearly identical.
Figure 7: 8Base (blue) compared to RansomHouse (red) welcome pages
The verbiage is copied word for word from RansomHouse’s welcome page to 8Base’s welcome page. This is the case for their Terms of Service pages and FAQ pages as seen below:
Figure 8: 8Base (blue) compared to RansomHouse (red) terms of service pages
Figure 9: 8Base (blue) compared to RansomHouse (red) FAQ pages
When comparing the two threat actor groups, there are only two major differences: The first is that RansomHouse advertises its partnerships and is openly recruiting for partnerships, whereas 8Base is not:
Figure 10: RansomHouse partnership page
The second major difference between the two threat actor groups is their leak pages, as seen below:
Figure 11: RansomHouse (red) and 8Base (blue) leak pages
Given the similarity between the two, we were presented with the question of whether 8Base may be an off-shoot of RansomHouse or a copycat. Unfortunately, RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn’t have its own signature ransomware as a basis for comparison. Interestingly, while researching 8Base we weren’t able to find a single ransomware variant either. We stumbled across two very different ransom notes – one that matched RansomHouse’s and one that matched Phobos. It begged the question if 8Base, similar to RansomHouse, operates by using different ransomware as well, and if so, is 8Base just an offshoot of RansomHouse?
8Base and Phobos Ransomware
When searching for a sample of ransomware used by 8Base Ransom Group, a Phobos sample using a “.8base” file extension on encrypted files was recovered. Could this be an earlier iteration of the ransomware they would use, or is 8Base using varieties of ransomware to target their victims? Comparison of Phobos and the 8Base sample revealed that 8Base was using Phobos ransomware version 2.9.1 with SmokeLoader for initial obfuscation on ingress, unpacking, and loading of the ransomware. With Phobos ransomware being available as a ransomware-as-a-service (RAAS), this is not a surprise. Actors are able to customize parts to their needs as seen in the 8Base ransom note. Although their ransom notes were similar, key differences included Jabber instructions and “phobos” in the top and bottom corners of the Phobos ransomware while 8Base has “cartilage” in the top corner, a purple background, and no Jabber instructions as seen below:
Figure 12: 8Base (blue) compared to Phobos (red) ransom notes
Even though 8Base added their own branding customization by appending “.8base” to their encrypted files, the format of the entire appended portion was the same as Phobos which included an ID section, an email address, and then the file extension.
Figure 13: 8Base (blue) compared to Phobos (red) file extensions
Additional analysis that appeared unique to 8Base Ransom Group included that the 8Base sample had been downloaded from the domain admlogs25[.]xyz – which appears to be associated with SystemBC, a proxy and remote administration tool. SystemBC has been used by other ransomware groups as a way to encrypt and conceal the destination of the attackers’ Command and Control traffic.
VMware Carbon Black Detection
VMware Carbon Black Managed Detection and Response is effective at detecting ransomware and ransomware-like behavior as an endpoint detection and response product. We have provided an Indicators of Compromise section below which can be used to create rules to detect and prevent the execution of 8Base ransomware.
VMware Carbon Black has an active rule set that is used for the detection of all ransomware-type malware. This ruleset is sufficient to detect and prevent malware and provides for the active protection of our customers. For active customers, we recommend ensuring this ruleset is enabled.
Of course, it is important to attempt to stop ransomware from running in the first place. As stated in the report, 8base uses SystemBC to encrypt command and control traffic and Smokeloader, which provided initial obfuscation of the ransomware on ingress, unpacking, and loading of the Phobos ransomware. Recommendations to prevent this activity would include:
- Beware of Phishing emails: Many threats to include Smokeloader are delivered via phishing emails. Ensuring personnel are educated on Phishing email techniques is crucial in prevention efforts.
- Ensure proper configuration of network monitoring tools i.e. SIEM solution to prevent any malware from connecting to command and control servers. Domains are provided in the IOC section.
The Indicators of Compromise provided below can be invaluable for threat-hunting purposes. These indicators serve as essential tools to identify potential security breaches and malicious activities. By utilizing these indicators, security professionals can proactively investigate and mitigate threats, ensuring the integrity and safety of their systems. With a vigilant approach to threat hunting and the utilization of these indicators, organizations can stay ahead of potential risks and maintain a robust security posture.
Summary
Given the nature of the beast that is 8Base, we can only speculate at this time that they are using several different types of ransomware – either as earlier variants or as part of their normal operating procedures. What we do know is that this group is highly active and targets smaller businesses.
Whether 8Base is an offshoot of Phobos or RansomHouse remains to be seen. It is interesting that 8Base is nearly identical to RansomHouse and uses Phobos Ransomware. At present, 8Base remains one of the top active ransomware groups this summer (2023).
As with all ransomware, VMware Carbon Black highly recommends its endpoint detection product given its high performance and ability to catch ransomware before it magnifies.
MITRE ATT&CK TIDs:
| Tactic | Technique | Description |
| TA0003 Persistence | T1547.001 Registry Run Keys / Startup Folder | Adds the following: %AppData%\Local\{malware} %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\{malware} %AppData%\Roaming\Microsoft\Start Menu\Programs\Startup\{malware} |
| TA0007 Discovery | T1135 Network Share Discovery | Uses WNetEnumResource() to crawl network resources |
| TA0004 Privilege Escalation | T1134.001 Token Impersonation/Theft | Uses DuplicateToken() to adjusts token privileges |
| TA0005 Defense Evasion | T1562.001 Disable or Modify Tools | Terminates a long list of processes, which are a mix of commonly used applications (example: MS Office applications) and security software. |
| TA0005 Defense Evasion | T1027.002 Obfuscated File or Information: Software Packing | SmokeLoader unpacks and loads Phobos to memory |
| TA0040 Impact | T1490 Inhibit System Recovery | Runs: wmic shadowcopy delete wbadmin delete catalog -quiet vssadmin delete shadows /all /quiet bcdedit /set {default} recoveryenabled no bcdedit /set {default} bootstatuspolicy ignoreallfailures |
| TA0040 Impact | T1486 Data Encrypted for Impact | Uses AES to Encrypt Files |
Indicators of Compromise:
| Indicator | Type | Context |
| 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c | SHA-256 | 8Base Ransomware (Phobos variant) |
| 5BA74A5693F4810A8EB9B9EEB1D69D943CF5BBC46F319A32802C23C7654194B0 | SHA-256 | 8Base ransom note (RansomHouse variant) |
| 20110FF550A2290C5992A5BB6BB44056 | MD5 | 8Base ransom note (RansomHouse variant) |
| 3D2B088A397E9C7E9AD130E178F885FEEBD9688B | SHA-1 | 8Base ransom note (RansomHouse variant) |
| e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0 | SHA-256 | 8Base ransomware (Phobos variant) |
| 5d0f447f4ccc89d7d79c0565372195240cdfa25f | SHA-1 | 8Base ransomware (Phobos variant) |
| 9769c181ecef69544bbb2f974b8c0e10 | MD5 | 8Base ransomware (Phobos variant) |
| C6BD5B8E14551EB899BBE4DECB6942581D28B2A42B159146BBC28316E6E14A64 | SHA-256 | 8Base ransomware (Phobos variant) |
| 518544E56E8CCEE401FFA1B0A01A10CE23E49EC21EC441C6C7C3951B01C1B19C | SHA-256 | 8Base ransomware (Phobos variant) |
| AFDDEC37CDC1D196A1136E2252E925C0DCFE587963069D78775E0F174AE9CFE3 | SHA-256 | 8Base ransomware (Phobos variant) |
| wlaexfpxrs[.]org | Data POST to URL | 8Base ransomware referred domain (Phobos variant) |
| admhexlogs25[.]xyz | Data GET request to URL | 8Base ransomware referred domain |
| admlogs25[.]xyz | Data GET request to URL | 8Base ransomware referred domain |
| admlog2[.]xyz | Data GET request to URL | 8Base ransomware referred domain |
| dnm777[.]xyz | Data GET request to URL | 8Base ransomware referred domain |
| serverlogs37[.]xyz | Data POST to URL | 8Base ransomware referred domain |
| 9f1a.exe | File Name | 8Base ransomware dropped file |
| d6ff.exe | File Name | 8Base ransomware dropped file |
| 3c1e.exe | File Name | 8Base ransomware dropped file |
| dexblog[.]xyz | Data GET request to URL | 8Base ransomware referred domain |
| blogstat355[.]xyz | Data GET request to URL | 8Base ransomware referred domain |
| blogstatserv25[.]xyz | Data GET request to URL | 8Base ransomware referred domain |
