blogs.vmware.com
Open in
urlscan Pro
2a02:26f0:3500:89b::2ef
Public Scan
URL:
https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html
Submission: On July 03 via api from DE — Scanned from DE
Submission: On July 03 via api from DE — Scanned from DE
Form analysis
1 forms found in the DOMGET https://blogs.vmware.com/security/
<form class="search-form" method="get" action="https://blogs.vmware.com/security/">
<label class="sr-only" for="s">Search</label>
<input class="search-field" placeholder="Search" name="s">
<input type="submit" value="Submit Search" class="search-submit btn">
</form>
Text Content
Menu VMware Security Blog Search Search * VMware Blogs * Communities * Tech Zone * RSS * Featured Announcements WHY CISOS SHOULD INVEST MORE INSIDE THEIR INFRASTRUCTURE Tom Gillis June 2, 2022 5 min read Threat Analysis Unit SERPENT - THE BACKDOOR THAT HIDES IN PLAIN SIGHT Threat Analysis Unit April 25, 2022 11 min read Executive Viewpoint HOW NOT TO BUILD A SOC Martin Holzworth April 18, 2022 14 min read Executive Viewpoint PODCAST: DISCUSSING THE LATEST SECURITY THREATS AND THREAT ACTORS - TOM KELLERMANN (VIRTUALLY SPEAKING) Editorial Staff April 13, 2022 1 min read * CategoriesToggle submenu * Announcements * Executive Viewpoint * Multi-Cloud Security * Modern Apps Security * Workload Security * Endpoint Security * Network Security * Threat Analysis Unit * VMware Security Response Center * VMware Security * Get A Demo * RSS Threat Analysis Unit 8BASE RANSOMWARE: A HEAVY HITTING PLAYER Deborah Snyder, Fae Carlisle, Dana Behling, Bria B ... Deborah Snyder, Fae Carlisle, Dana Behling, Bria Beathley June 28, 2023 18 min read Share on: * Share on Twitter * Share on LinkedIn * Share on Facebook * Share on Reddit * Email this post * Copy Link The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. The speed and efficiency of 8Base’s current operations do not indicate the start of a new group but rather signify the continuation of a well-established mature organization. Based on the currently available information, certain aspects of 8Base’s current operations look eerily similar to the ransomware operations we have seen in the past. 8BASE RANSOMWARE: WHAT WE KNOW Figure 1: Screenshot of 8Base Ransom Group Leak Site 8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023. Describing themselves as “simple pen testers”, their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. What is interesting about 8Base’s communication style is the use of verbiage strikingly familiar to another known group, RansomHouse. Figure 2: Chart of 8Base Ransom Group Activity from March 2022 – June 2023. Contact information provided on the leak site included the following: * Telegram Channel: https://t[.]me/eightbase * Twitter: @8BaseHome Figure 3: Screenshot of 8Base Ransom Group Twitter. 8Base Ransom Group’s top targeted industries include but are not limited to Business Services, Finance, Manufacturing, and Information Technology. Figure 4: Chart of 8Base Ransom Group’s Top Targeted Industries Although the 8Base Ransom Group is not necessarily a new group, their spike in activity recently has not gone unnoticed. Even within the past 30 days, it is within the top 2 performing ransom groups. Not much was known publicly about the kind of ransomware used by 8Base other than the ransom note and that it appends encrypted files with the extension “.8base”. Figure 5: Chart comparing 8Base Ransom Group victimization statistics with other known Ransom Groups. Analysis conducted by VMware Carbon Black’s TAU and MDR-POC teams revealed interesting finds and begs the question: “Whose ransom is it anyway?” THE MYSTERY OF “WHOSE RANSOM IS IT ANYWAY?” 8BASE AND RANSOMHOUSE While reviewing 8Base, we noticed there were significant similarities between this group and another group – RansomHouse. It is up for debate on whether RansomHouse is a real ransomware group or not; the group buys already leaked data, partners with data leak sites, and then extorts companies for money. The first similarity was identified during a ransom note comparison project utilizing Natural Language Processing model Doc2Vec. Doc2Vec is an unsupervised machine learning algorithm that converts documents to vectors and can be used to identify similarities in documents. During this project, the ransom note of 8base had a 99% match with RansomHouse ransom note. For comparison, we have provided a snippet of the ransom notes below: Figure 6: 8Base (blue) compared to RansomHouse (red) ransom notes Diving deeper, we did a side-by-side comparison of their respective leak sites. Again, we found the language of the two being nearly identical. Figure 7: 8Base (blue) compared to RansomHouse (red) welcome pages The verbiage is copied word for word from RansomHouse’s welcome page to 8Base’s welcome page. This is the case for their Terms of Service pages and FAQ pages as seen below: Figure 8: 8Base (blue) compared to RansomHouse (red) terms of service pages Figure 9: 8Base (blue) compared to RansomHouse (red) FAQ pages When comparing the two threat actor groups, there are only two major differences: The first is that RansomHouse advertises its partnerships and is openly recruiting for partnerships, whereas 8Base is not: Figure 10: RansomHouse partnership page The second major difference between the two threat actor groups is their leak pages, as seen below: Figure 11: RansomHouse (red) and 8Base (blue) leak pages Given the similarity between the two, we were presented with the question of whether 8Base may be an off-shoot of RansomHouse or a copycat. Unfortunately, RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn’t have its own signature ransomware as a basis for comparison. Interestingly, while researching 8Base we weren’t able to find a single ransomware variant either. We stumbled across two very different ransom notes – one that matched RansomHouse’s and one that matched Phobos. It begged the question if 8Base, similar to RansomHouse, operates by using different ransomware as well, and if so, is 8Base just an offshoot of RansomHouse? 8BASE AND PHOBOS RANSOMWARE When searching for a sample of ransomware used by 8Base Ransom Group, a Phobos sample using a “.8base” file extension on encrypted files was recovered. Could this be an earlier iteration of the ransomware they would use, or is 8Base using varieties of ransomware to target their victims? Comparison of Phobos and the 8Base sample revealed that 8Base was using Phobos ransomware version 2.9.1 with SmokeLoader for initial obfuscation on ingress, unpacking, and loading of the ransomware. With Phobos ransomware being available as a ransomware-as-a-service (RAAS), this is not a surprise. Actors are able to customize parts to their needs as seen in the 8Base ransom note. Although their ransom notes were similar, key differences included Jabber instructions and “phobos” in the top and bottom corners of the Phobos ransomware while 8Base has “cartilage” in the top corner, a purple background, and no Jabber instructions as seen below: Figure 12: 8Base (blue) compared to Phobos (red) ransom notes Even though 8Base added their own branding customization by appending “.8base” to their encrypted files, the format of the entire appended portion was the same as Phobos which included an ID section, an email address, and then the file extension. Figure 13: 8Base (blue) compared to Phobos (red) file extensions Additional analysis that appeared unique to 8Base Ransom Group included that the 8Base sample had been downloaded from the domain admlogs25[.]xyz – which appears to be associated with SystemBC, a proxy and remote administration tool. SystemBC has been used by other ransomware groups as a way to encrypt and conceal the destination of the attackers’ Command and Control traffic. VMWARE CARBON BLACK DETECTION VMware Carbon Black Managed Detection and Response is effective at detecting ransomware and ransomware-like behavior as an endpoint detection and response product. We have provided an Indicators of Compromise section below which can be used to create rules to detect and prevent the execution of 8Base ransomware. VMware Carbon Black has an active rule set that is used for the detection of all ransomware-type malware. This ruleset is sufficient to detect and prevent malware and provides for the active protection of our customers. For active customers, we recommend ensuring this ruleset is enabled. Of course, it is important to attempt to stop ransomware from running in the first place. As stated in the report, 8base uses SystemBC to encrypt command and control traffic and Smokeloader, which provided initial obfuscation of the ransomware on ingress, unpacking, and loading of the Phobos ransomware. Recommendations to prevent this activity would include: * Beware of Phishing emails: Many threats to include Smokeloader are delivered via phishing emails. Ensuring personnel are educated on Phishing email techniques is crucial in prevention efforts. * Ensure proper configuration of network monitoring tools i.e. SIEM solution to prevent any malware from connecting to command and control servers. Domains are provided in the IOC section. The Indicators of Compromise provided below can be invaluable for threat-hunting purposes. These indicators serve as essential tools to identify potential security breaches and malicious activities. By utilizing these indicators, security professionals can proactively investigate and mitigate threats, ensuring the integrity and safety of their systems. With a vigilant approach to threat hunting and the utilization of these indicators, organizations can stay ahead of potential risks and maintain a robust security posture. SUMMARY Given the nature of the beast that is 8Base, we can only speculate at this time that they are using several different types of ransomware – either as earlier variants or as part of their normal operating procedures. What we do know is that this group is highly active and targets smaller businesses. Whether 8Base is an offshoot of Phobos or RansomHouse remains to be seen. It is interesting that 8Base is nearly identical to RansomHouse and uses Phobos Ransomware. At present, 8Base remains one of the top active ransomware groups this summer (2023). As with all ransomware, VMware Carbon Black highly recommends its endpoint detection product given its high performance and ability to catch ransomware before it magnifies. MITRE ATT&CK TIDs: Tactic Technique Description TA0003 Persistence T1547.001 Registry Run Keys / Startup Folder Adds the following: %AppData%\Local\{malware} %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\{malware} %AppData%\Roaming\Microsoft\Start Menu\Programs\Startup\{malware} TA0007 Discovery T1135 Network Share Discovery Uses WNetEnumResource() to crawl network resources TA0004 Privilege Escalation T1134.001 Token Impersonation/Theft Uses DuplicateToken() to adjusts token privileges TA0005 Defense Evasion T1562.001 Disable or Modify Tools Terminates a long list of processes, which are a mix of commonly used applications (example: MS Office applications) and security software. TA0005 Defense Evasion T1027.002 Obfuscated File or Information: Software Packing SmokeLoader unpacks and loads Phobos to memory TA0040 Impact T1490 Inhibit System Recovery Runs: wmic shadowcopy delete wbadmin delete catalog -quiet vssadmin delete shadows /all /quiet bcdedit /set {default} recoveryenabled no bcdedit /set {default} bootstatuspolicy ignoreallfailures TA0040 Impact T1486 Data Encrypted for Impact Uses AES to Encrypt Files Indicators of Compromise: Indicator Type Context 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c SHA-256 8Base Ransomware (Phobos variant) 5BA74A5693F4810A8EB9B9EEB1D69D943CF5BBC46F319A32802C23C7654194B0 SHA-256 8Base ransom note (RansomHouse variant) 20110FF550A2290C5992A5BB6BB44056 MD5 8Base ransom note (RansomHouse variant) 3D2B088A397E9C7E9AD130E178F885FEEBD9688B SHA-1 8Base ransom note (RansomHouse variant) e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0 SHA-256 8Base ransomware (Phobos variant) 5d0f447f4ccc89d7d79c0565372195240cdfa25f SHA-1 8Base ransomware (Phobos variant) 9769c181ecef69544bbb2f974b8c0e10 MD5 8Base ransomware (Phobos variant) C6BD5B8E14551EB899BBE4DECB6942581D28B2A42B159146BBC28316E6E14A64 SHA-256 8Base ransomware (Phobos variant) 518544E56E8CCEE401FFA1B0A01A10CE23E49EC21EC441C6C7C3951B01C1B19C SHA-256 8Base ransomware (Phobos variant) AFDDEC37CDC1D196A1136E2252E925C0DCFE587963069D78775E0F174AE9CFE3 SHA-256 8Base ransomware (Phobos variant) wlaexfpxrs[.]org Data POST to URL 8Base ransomware referred domain (Phobos variant) admhexlogs25[.]xyz Data GET request to URL 8Base ransomware referred domain admlogs25[.]xyz Data GET request to URL 8Base ransomware referred domain admlog2[.]xyz Data GET request to URL 8Base ransomware referred domain dnm777[.]xyz Data GET request to URL 8Base ransomware referred domain serverlogs37[.]xyz Data POST to URL 8Base ransomware referred domain 9f1a.exe File Name 8Base ransomware dropped file d6ff.exe File Name 8Base ransomware dropped file 3c1e.exe File Name 8Base ransomware dropped file dexblog[.]xyz Data GET request to URL 8Base ransomware referred domain blogstat355[.]xyz Data GET request to URL 8Base ransomware referred domain blogstatserv25[.]xyz Data GET request to URL 8Base ransomware referred domain DEBORAH SNYDER FAE CARLISLE DANA BEHLING BRIA BEATHLEY RELATED ARTICLES Threat Analysis Unit 8BASE RANSOMWARE: A HEAVY HITTING PLAYER Deborah Snyder, Fae Carlisle, Dana Behling, Bria B ... Deborah Snyder, Fae Carlisle, Dana Behling, Bria Beathley June 28, 2023 18 min read Threat Analysis Unit CARBON BLACK’S TRUEBOT DETECTION Fae Carlisle June 1, 2023 6 min read Threat Analysis Unit IT’S RAINING IMPLANTS: HOW TO GENERATE C2 FRAMEWORK IMPLANTS AT SCALE Sebastiano Mariani April 27, 2023 16 min read × Company About Us Executive Leadership News & Stories Investor Relations Customer Stories Diversity, Equity & Inclusion Environment, Social & Governance Careers Blogs Communities Acquisitions Office Locations VMware Cloud Trust Center COVID-19 Resources Support VMware Customer Connect Support Policies Product Documentation Compatibility Guide Terms & Conditions California Transparency Act Statement Twitter YouTube Facebook LinkedIn Contact Sales -------------------------------------------------------------------------------- © 2023 VMware, Inc. Terms of Use Your California Privacy Rights Privacy Accessibility Trademarks Glossary Help Feedback Cookies Settings WE CARE ABOUT YOUR PRIVACY We use cookies to provide you with the best experience on our website, to improve usability and performance and thereby improve what we offer to you. Our website may also use third-party cookies to display advertising that is more relevant to you. By clicking on the “Accept All” button you agree to the storing of cookies on your device. If you close the cookie banner, only strictly necessary cookies will be stored on your device. If you want to know more about how we use cookies, please see our Cookie Policy. Cookies Settings Accept All Cookies COOKIE PREFERENCE CENTER * GENERAL INFORMATION ON COOKIES * STRICTLY NECESSARY * PERFORMANCE * FUNCTIONAL * ADVERTISING GENERAL INFORMATION ON COOKIES When you visit our website, we use cookies to ensure that we give you the best experience. This information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies by clicking on the different category headings to find out more and change your settings. However, blocking some types of cookies may impact your experience on the site and the services we are able to offer. Further information can be found in our Cookie Policy. STRICTLY NECESSARY Always Active Strictly necessary cookies are always enabled since they are essential for our website to function. They enable core functionality such as security, network management, and website accessibility. You can set your browser to block or alert you about these cookies, but this may affect how the website functions. For more information please visit www.aboutcookies.org or www.allaboutcookies.org. Cookies Details PERFORMANCE Performance Performance cookies are used to analyze the user experience to improve our website by collecting and reporting information on how you use it. They allow us to know which pages are the most and least popular, see how visitors move around the site, optimize our website and make it easier to navigate. Cookies Details FUNCTIONAL Functional Functional cookies help us keep track of your past browsing choices so we can improve usability and customize your experience. These cookies enable the website to remember your preferred settings, language preferences, location and other customizable elements such as font or text size. If you do not allow these cookies, then some or all of these services may not function properly. Cookies Details ADVERTISING Advertising Advertising cookies are used to send you relevant advertising and promotional information. They may be set through our site by third parties to build a profile of your interests and show you relevant advertisements on other sites. These cookies do not directly store personal information, but their function is based on uniquely identifying your browser and internet device. Cookies Details Back Button COOKIE LIST Filter Button Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Reject All Allow All word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1