In this comprehensive article, we will explore the 8base ransomware variant in detail, and provide information on the group’s DLS (Dedicated Leak Site) on the “Dark Web”, their TOR site, and the indicators of compromise (IOC) associated with the group’s activity.
It’s essential to understand which industries the 8base ransomware targets and have some insight into how it operates to improve your cybersecurity and ransomware defense.
8base ransomware overview
The 8Base ransomware group emerged in March 2022 and has been highly active since June 2023, with a significant spike in their activities observed. 8base ranks as one of the top-performing ransom groups, further highlighting the threat they pose.
The group has targeted a wide range of victims across various industry types, mainly attacking small and medium-sized businesses. Most target countries include the United States, Brazil, and the United Kingdom.
The 8base gang employs double extortion tactics, where they not only encrypt a victim’s files but also steal their data and threaten to publicly release it if the ransom is not paid. The group uses a variety of ransomware strains, including a variant known as Phobos, which they have customized by appending a “.8 base” to their encrypted files.
Important: Do not pay the ransom. Paying the ransom does not guarantee that you will get your data back, and it may encourage the attackers to continue their criminal activities.
8base encryption techniques
The group responsible for 8base has customized the Phobos ransomware variant by appending ‘.8base’ to their encrypted files. The format of the entire appended portion remains the same as Phobos, which includes an ID section, an email address, and then the file extension. This suggests that 8Base is leveraging Ransomware-as-a-Service (RaaS) offerings, a common practice among ransomware groups.
How to identify 8base ransomware: Main IOCs
Indicators of compromise (IOCs) are pieces of forensic data that can help identify malicious activity or malware associated with a cyber attack. It includes the encryption extension, file hashes, and IP addresses, among other details cyber criminals leave as they infect a machine or system.
But, if you can’t identify the ransomware strain through its IOCs, you can use Proven Data’s free ransomware ID tool to check if the 8base ransomware is the one that encrypts your files.
Important: Some of these indicators require technical knowledge of the infected system, so you may need to contact your IT team or a digital forensics service provider.
8base IOCs include changes in encrypted file names and append the victim’s ID, [email protected] email address, and the “.8base” extension to them. Victims of the 8base ransomware can also find two ransom notes (“info.hta” and “info.txt”) in disk C: and C:\User\User\Desktop.
Other 8base IOCs include:
- IP address 45.131.66[.]120
- IP address 45.89.125[.]136
- FileName 8A26.exe
- FileName 8B7F.exe
- Hash 9769C181ECEF69544BBB2F974B8C0E10
- Hash 5D0F447F4CCC89D7D79C0565372195240CDFA25F
- Hash E142F4E8EB3FB4323FB377138F53DB66E3E6EC9E82930F4B23DD91A5F7BD45D0
How 8base ransomware works
As with most ransomware, 8base uses several techniques to infect a machine or network, evade detection, exfiltrate data, and then encrypt files. Since this is a new ransomware strain, technicians are still learning those techniques, and many details of how 8base ransomware works are not known at the time of this article’s publication.
1. Initial Access
The initial access methods in 8base campaigns will vary, but delivery via a phishing email or the use of initial access brokers (IABs) has been observed. The group has also been observed to utilize SystemBC to proxy their traffic and create an encrypted C2 channel.
2. Persistence
Persistence is achieved via entries in the Windows Startup folder as well as in the registry. The group also uses suspicious child processes spawned by Microsoft Office products, file executing using WScript or CScript, or scheduled task creation.
3. Evasion tactics
The 8Base ransomware group employs sophisticated evasion tactics to infiltrate systems with stealth and precision, leaving victims defenseless. For example, they use multiple malware families to achieve their goals, including SmokeLoader and SystemBC, in addition to the Phobos ransomware payload.
4. Data exfiltration and encryption
After gaining access and elevating privilege, data exfiltration is performed which is later leaked in their Data Leak Sites. 8Base ransomware payloads will enumerate all available local drives, encrypting standard data file extensions rapidly and efficiently using AES256 in CBC mode. Any attached share or drive volume will be subject to the encryption process as well. Once encrypted, files will have the .8base extension appended to them at times accompanied by the victim ID and attacker email address.
5. The ransom note is dropped
After the encryption process is completed, the ransom note files ‘info.hta’ and ‘info.txt’ are dropped in ‘C:’ and ‘C:\User\User\Desktop
If the ransom is paid, the ransomware operator will either provide a copy of the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself. However, there is no guarantee that the cybercriminal group will send the decryption key.
Before deciding to pay the ransom demand, check our in-depth article on what happens if you pay the ransom.
Notable attacks by 8base ransomware
The 8Base ransomware group has hit nearly 80 organizations since March 2022 and uses the double-extortion tactics of encryption and “name and shame”, where cybercriminals threaten to publicly expose individuals, companies, or organizations that have behaved in a bad or illegal way. By using “name and shame”, the cybercriminal group intended to cause public embarrassment and to encourage the offending entity to alter its behavior and ideally no longer conduct itself in the same manner.
In May 2023, the 8base was responsible for 15% of the ransomware attacks. In June 2023, the 8base gang hit nearly 40 victims, second only to the notorious LockBit ransomware gang. They listed their victim organizations and companies on its darknet website accessible only via TOR. These are primarily hacking victims who declined to pay a ransom, risking the publication of their stolen data.
How to prevent ransomware attacks
Preventing ransomware attacks is always the best tactic. If you are a recent victim, you must follow these tips to avoid a new ransomware attack:
Keep your software up to date
Regularly update your operating system and programs to uphold security standards. Reputable OS providers will consistently check their software for vulnerabilities and patch up their security standards to protect against newly detected threats.
Use reputable antivirus software
Employ reputable antivirus software to significantly bolster protection against malware. You can also check your network for vulnerabilities and learn where you need to improve your security system.
Be cautious of emails
Exercise caution when dealing with emails from unfamiliar or dubious origins. Refrain from opening files or clicking on links within emails that you are not expecting or that seem suspicious.
Do not download cracked software
Cybercriminals frequently conceal their ransomware executables within cracked software distribution websites, leading users to unwittingly download and execute the malware.
Backup your data
Regularly back up your data to an external hard drive or cloud storage service to prevent data loss in case of a ransomware attack.
Educate yourself and your employees
Educate yourself and your employees about the risks of ransomware and how to avoid it, such as avoiding suspicious emails or downloads.
