blogs.vmware.com Open in urlscan Pro
2a02:26f0:480:5a0::2ef  Public Scan

URL: https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html
Submission: On July 03 via api from DE — Scanned from DE

Form analysis 1 forms found in the DOM

GET https://blogs.vmware.com/security/

<form class="search-form" method="get" action="https://blogs.vmware.com/security/">
  <label class="sr-only" for="s">Search</label>
  <input class="search-field" placeholder="Search" name="s">
  <input type="submit" value="Submit Search" class="search-submit btn">
</form>

Text Content

Menu VMware Security Blog
Search
Search
 * VMware Blogs
 * Communities
 * Tech Zone

 * RSS

 * Featured
   
   Announcements
   
   
   WHY CISOS SHOULD INVEST MORE INSIDE THEIR INFRASTRUCTURE
   
   Tom Gillis June 2, 2022 5 min read
   Threat Analysis Unit
   
   
   SERPENT - THE BACKDOOR THAT HIDES IN PLAIN SIGHT
   
   Threat Analysis Unit April 25, 2022 11 min read
   Executive Viewpoint
   
   
   HOW NOT TO BUILD A SOC
   
   Martin Holzworth April 18, 2022 14 min read
   Executive Viewpoint
   
   
   PODCAST: DISCUSSING THE LATEST SECURITY THREATS AND THREAT ACTORS - TOM
   KELLERMANN (VIRTUALLY SPEAKING)
   
   Editorial Staff April 13, 2022 1 min read
 * CategoriesToggle submenu
   
   * Announcements
   * Executive Viewpoint
   * Multi-Cloud Security
   * Modern Apps Security
   * Workload Security
   * Endpoint Security
   * Network Security
   * Threat Analysis Unit
   * VMware Security Response Center
 * VMware Security
   
 * Get A Demo
   


 * RSS


Threat Analysis Unit


8BASE RANSOMWARE: A HEAVY HITTING PLAYER

Deborah Snyder, Fae Carlisle, Dana Behling, Bria B ... Deborah Snyder, Fae
Carlisle, Dana Behling, Bria Beathley June 28, 2023 18 min read
Share on:
 * Share on Twitter
 * Share on LinkedIn
 * Share on Facebook
 * Share on Reddit
 * Email this post
 * Copy Link

The 8Base ransomware group has remained relatively unknown despite the massive
spike in activity in Summer of 2023. The group utilizes encryption paired with
“name-and-shame” techniques to compel their victims to pay their ransoms. 8Base
has an opportunistic pattern of compromise with recent victims spanning across
varied industries. Despite the high amount of compromises, the information
regarding identities, methodology, and underlying motivation behind these
incidents still remains a mystery.

The speed and efficiency of 8Base’s current operations do not indicate the start
of a new group but rather signify the continuation of a well-established mature
organization. Based on the currently available information, certain aspects of
8Base’s current operations look eerily similar to the ransomware operations we
have seen in the past.


8BASE RANSOMWARE: WHAT WE KNOW



Figure 1: Screenshot of 8Base Ransom Group Leak Site

8Base is a Ransomware group that has been active since March 2022 with a
significant spike in activity in June of 2023.  Describing themselves as “simple
pen testers”, their leak site provided victim details through Frequently Asked
Questions and Rules sections as well as multiple ways to contact them. What is
interesting about 8Base’s communication style is the use of verbiage strikingly
familiar to another known group, RansomHouse.



Figure 2: Chart of 8Base Ransom Group Activity from March 2022 – June 2023.

Contact information provided on the leak site included the following:

 * Telegram Channel: https://t[.]me/eightbase
 * Twitter: @8BaseHome



Figure 3: Screenshot of 8Base Ransom Group Twitter.

8Base Ransom Group’s top targeted industries include but are not limited to
Business Services, Finance, Manufacturing, and Information Technology.



Figure 4: Chart of 8Base Ransom Group’s Top Targeted Industries

Although the 8Base Ransom Group is not necessarily a new group, their spike in
activity recently has not gone unnoticed. Even within the past 30 days, it is
within the top 2 performing ransom groups. Not much was known publicly about the
kind of ransomware used by 8Base other than the ransom note and that it appends
encrypted files with the extension “.8base”.



Figure 5: Chart comparing 8Base Ransom Group victimization statistics with other
known Ransom Groups.

Analysis conducted by VMware Carbon Black’s TAU and MDR-POC teams revealed
interesting finds and begs the question: “Whose ransom is it anyway?”


THE MYSTERY OF “WHOSE RANSOM IS IT ANYWAY?”


8BASE AND RANSOMHOUSE

While reviewing 8Base, we noticed there were significant similarities between
this group and another group – RansomHouse. It is up for debate on whether
RansomHouse is a real ransomware group or not; the group buys already leaked
data, partners with data leak sites, and then extorts companies for money.

The first similarity was identified during a ransom note comparison project
utilizing Natural Language Processing model Doc2Vec. Doc2Vec is an unsupervised
machine learning algorithm that converts documents to vectors and can be used to
identify similarities in documents. During this project, the ransom note of
8base had a 99% match with RansomHouse ransom note. For comparison, we have
provided a snippet of the ransom notes below:



Figure 6: 8Base (blue) compared to RansomHouse (red) ransom notes

Diving deeper, we did a side-by-side comparison of their respective leak sites.
Again, we found the language of the two being nearly identical.



Figure 7: 8Base (blue) compared to RansomHouse (red) welcome pages

The verbiage is copied word for word from RansomHouse’s welcome page to 8Base’s
welcome page. This is the case for their Terms of Service pages and FAQ pages as
seen below:





Figure 8: 8Base (blue) compared to RansomHouse (red) terms of service pages



Figure 9: 8Base (blue) compared to RansomHouse (red) FAQ pages

When comparing the two threat actor groups, there are only two major
differences: The first is that RansomHouse advertises its partnerships and is
openly recruiting for partnerships, whereas 8Base is not:



Figure 10: RansomHouse partnership page

The second major difference between the two threat actor groups is their leak
pages, as seen below:



Figure 11: RansomHouse (red) and 8Base (blue) leak pages

Given the similarity between the two, we were presented with the question of
whether 8Base may be an off-shoot of RansomHouse or a copycat. Unfortunately,
RansomHouse is known for using a wide variety of ransomware that is available on
dark markets and doesn’t have its own signature ransomware as a basis for
comparison. Interestingly, while researching 8Base we weren’t able to find a
single ransomware variant either. We stumbled across two very different ransom
notes – one that matched RansomHouse’s and one that matched Phobos. It begged
the question if 8Base, similar to RansomHouse, operates by using different
ransomware as well, and if so, is 8Base just an offshoot of RansomHouse?


8BASE AND PHOBOS RANSOMWARE

When searching for a sample of ransomware used by 8Base Ransom Group, a Phobos
sample using a “.8base” file extension on encrypted files was recovered. Could
this be an earlier iteration of the ransomware they would use, or is 8Base using
varieties of ransomware to target their victims? Comparison of Phobos and the
8Base sample revealed that 8Base was using Phobos ransomware version 2.9.1 with
SmokeLoader for initial obfuscation on ingress, unpacking, and loading of the
ransomware. With Phobos ransomware being available as a ransomware-as-a-service
(RAAS), this is not a surprise. Actors are able to customize parts to their
needs as seen in the 8Base ransom note. Although their ransom notes were
similar, key differences included Jabber instructions and “phobos” in the top
and bottom corners of the Phobos ransomware while 8Base has “cartilage” in the
top corner, a purple background, and no Jabber instructions as seen below:





Figure 12: 8Base (blue) compared to Phobos (red) ransom notes

Even though 8Base added their own branding customization by appending “.8base”
to their encrypted files, the format of the entire appended portion was the same
as Phobos which included an ID section, an email address, and then the file
extension.



Figure 13: 8Base (blue) compared to Phobos (red) file extensions

Additional analysis that appeared unique to 8Base Ransom Group included that the
8Base sample had been downloaded from the domain admlogs25[.]xyz – which appears
to be associated with SystemBC, a proxy and remote administration tool. 
SystemBC has been used by other ransomware groups as a way to encrypt and
conceal the destination of the attackers’ Command and Control traffic.


VMWARE CARBON BLACK DETECTION

VMware Carbon Black Managed Detection and Response is effective at detecting
ransomware and ransomware-like behavior as an endpoint detection and response
product. We have provided an Indicators of Compromise section below which can be
used to create rules to detect and prevent the execution of 8Base ransomware.

VMware Carbon Black has an active rule set that is used for the detection of all
ransomware-type malware. This ruleset is sufficient to detect and prevent
malware and provides for the active protection of our customers. For active
customers, we recommend ensuring this ruleset is enabled.

Of course, it is important to attempt to stop ransomware from running in the
first place. As stated in the report, 8base uses SystemBC to encrypt command and
control traffic and Smokeloader, which provided initial obfuscation of the
ransomware on ingress, unpacking, and loading of the Phobos ransomware.
Recommendations to prevent this activity would include:

 * Beware of Phishing emails: Many threats to include Smokeloader are delivered
   via phishing emails. Ensuring personnel are educated on Phishing email
   techniques is crucial in prevention efforts.
 * Ensure proper configuration of network monitoring tools i.e. SIEM solution to
   prevent any malware from connecting to command and control servers. Domains
   are provided in the IOC section.

The Indicators of Compromise provided below can be invaluable for threat-hunting
purposes. These indicators serve as essential tools to identify potential
security breaches and malicious activities. By utilizing these indicators,
security professionals can proactively investigate and mitigate threats,
ensuring the integrity and safety of their systems.  With a vigilant approach to
threat hunting and the utilization of these indicators, organizations can stay
ahead of potential risks and maintain a robust security posture.


SUMMARY

Given the nature of the beast that is 8Base, we can only speculate at this time
that they are using several different types of ransomware – either as earlier
variants or as part of their normal operating procedures. What we do know is
that this group is highly active and targets smaller businesses.

Whether 8Base is an offshoot of Phobos or RansomHouse remains to be seen. It is
interesting that 8Base is nearly identical to RansomHouse and uses Phobos
Ransomware. At present, 8Base remains one of the top active ransomware groups
this summer (2023).

As with all ransomware, VMware Carbon Black highly recommends its endpoint
detection product given its high performance and ability to catch ransomware
before it magnifies.

 

MITRE ATT&CK TIDs:

Tactic Technique Description TA0003 Persistence T1547.001 Registry Run Keys /
Startup Folder Adds the following:
%AppData%\Local\{malware} %ProgramData%\Microsoft\Windows\Start
Menu\Programs\Startup\{malware} %AppData%\Roaming\Microsoft\Start
Menu\Programs\Startup\{malware} TA0007 Discovery T1135 Network Share Discovery
Uses WNetEnumResource() to crawl network resources TA0004 Privilege Escalation
T1134.001 Token Impersonation/Theft Uses DuplicateToken() to adjusts token
privileges TA0005 Defense Evasion T1562.001 Disable or Modify Tools Terminates a
long list of processes, which are a mix of commonly used applications (example:
MS Office applications) and security software. TA0005 Defense Evasion T1027.002
Obfuscated File or Information: Software Packing SmokeLoader unpacks and loads
Phobos to memory TA0040 Impact T1490 Inhibit System Recovery Runs:
wmic shadowcopy delete
wbadmin delete catalog -quiet
vssadmin delete shadows /all /quiet
bcdedit /set {default} recoveryenabled no
bcdedit /set {default} bootstatuspolicy ignoreallfailures TA0040 Impact T1486
Data Encrypted for Impact Uses AES to Encrypt Files

 

 

Indicators of Compromise:

Indicator Type Context
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c SHA-256 8Base
Ransomware (Phobos variant)
5BA74A5693F4810A8EB9B9EEB1D69D943CF5BBC46F319A32802C23C7654194B0 SHA-256 8Base
ransom note (RansomHouse variant) 20110FF550A2290C5992A5BB6BB44056 MD5 8Base
ransom note (RansomHouse variant) 3D2B088A397E9C7E9AD130E178F885FEEBD9688B SHA-1
8Base ransom note (RansomHouse variant)
e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0 SHA-256 8Base
ransomware (Phobos variant) 5d0f447f4ccc89d7d79c0565372195240cdfa25f SHA-1 8Base
ransomware (Phobos variant) 9769c181ecef69544bbb2f974b8c0e10 MD5 8Base
ransomware (Phobos variant)
C6BD5B8E14551EB899BBE4DECB6942581D28B2A42B159146BBC28316E6E14A64 SHA-256 8Base
ransomware (Phobos variant)
518544E56E8CCEE401FFA1B0A01A10CE23E49EC21EC441C6C7C3951B01C1B19C SHA-256 8Base
ransomware (Phobos variant)
AFDDEC37CDC1D196A1136E2252E925C0DCFE587963069D78775E0F174AE9CFE3 SHA-256 8Base
ransomware (Phobos variant) wlaexfpxrs[.]org Data POST to URL 8Base ransomware
referred domain (Phobos variant) admhexlogs25[.]xyz Data GET request to URL
8Base ransomware referred domain admlogs25[.]xyz Data GET request to URL 8Base
ransomware referred domain admlog2[.]xyz Data GET request to URL 8Base
ransomware referred domain dnm777[.]xyz Data GET request to URL 8Base ransomware
referred domain serverlogs37[.]xyz Data POST to URL 8Base ransomware referred
domain 9f1a.exe File Name 8Base ransomware dropped file d6ff.exe File Name 8Base
ransomware dropped file 3c1e.exe File Name 8Base ransomware dropped file
dexblog[.]xyz Data GET request to URL 8Base ransomware referred domain
blogstat355[.]xyz Data GET request to URL 8Base ransomware referred domain
blogstatserv25[.]xyz Data GET request to URL 8Base ransomware referred domain

 

DEBORAH SNYDER



FAE CARLISLE



DANA BEHLING



BRIA BEATHLEY




RELATED ARTICLES

Threat Analysis Unit


8BASE RANSOMWARE: A HEAVY HITTING PLAYER

Deborah Snyder, Fae Carlisle, Dana Behling, Bria B ... Deborah Snyder, Fae
Carlisle, Dana Behling, Bria Beathley June 28, 2023 18 min read
Threat Analysis Unit


CARBON BLACK’S TRUEBOT DETECTION

Fae Carlisle June 1, 2023 6 min read
Threat Analysis Unit


IT’S RAINING IMPLANTS: HOW TO GENERATE C2 FRAMEWORK IMPLANTS AT SCALE

Sebastiano Mariani April 27, 2023 16 min read




×


Company

About Us Executive Leadership News & Stories Investor Relations Customer Stories
Diversity, Equity & Inclusion Environment, Social & Governance
Careers Blogs Communities Acquisitions Office Locations VMware Cloud Trust
Center COVID-19 Resources

Support

VMware Customer Connect Support Policies Product Documentation Compatibility
Guide Terms & Conditions California Transparency Act Statement
Twitter YouTube Facebook LinkedIn Contact Sales

--------------------------------------------------------------------------------

© 2023 VMware, Inc. Terms of Use Your California Privacy Rights Privacy
Accessibility Trademarks Glossary Help Feedback


Cookies Settings


WE CARE ABOUT YOUR PRIVACY

We use cookies to provide you with the best experience on our website, to
improve usability and performance and thereby improve what we offer to you. Our
website may also use third-party cookies to display advertising that is more
relevant to you. By clicking on the “Accept All” button you agree to the storing
of cookies on your device. If you close the cookie banner, only strictly
necessary cookies will be stored on your device. If you want to know more about
how we use cookies, please see our Cookie Policy.
Cookies Settings Accept All Cookies



COOKIE PREFERENCE CENTER




 * GENERAL INFORMATION ON COOKIES


 * STRICTLY NECESSARY


 * PERFORMANCE


 * FUNCTIONAL


 * ADVERTISING

GENERAL INFORMATION ON COOKIES

When you visit our website, we use cookies to ensure that we give you the best
experience. This information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies by clicking on the
different category headings to find out more and change your settings. However,
blocking some types of cookies may impact your experience on the site and the
services we are able to offer. Further information can be found in our
Cookie Policy.

STRICTLY NECESSARY

Always Active

Strictly necessary cookies are always enabled since they are essential for our
website to function. They enable core functionality such as security, network
management, and website accessibility. You can set your browser to block or
alert you about these cookies, but this may affect how the website functions.
For more information please visit www.aboutcookies.org or
www.allaboutcookies.org.

Cookies Details‎

PERFORMANCE

Performance


Performance cookies are used to analyze the user experience to improve our
website by collecting and reporting information on how you use it. They allow us
to know which pages are the most and least popular, see how visitors move around
the site, optimize our website and make it easier to navigate.

Cookies Details‎

FUNCTIONAL

Functional


Functional cookies help us keep track of your past browsing choices so we can
improve usability and customize your experience. These cookies enable the
website to remember your preferred settings, language preferences, location and
other customizable elements such as font or text size. If you do not allow these
cookies, then some or all of these services may not function properly.

Cookies Details‎

ADVERTISING

Advertising


Advertising cookies are used to send you relevant advertising and promotional
information. They may be set through our site by third parties to build a
profile of your interests and show you relevant advertisements on other sites.
These cookies do not directly store personal information, but their function is
based on uniquely identifying your browser and internet device.

Cookies Details‎
Back Button


COOKIE LIST

Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Clear
checkbox label label
Apply Cancel
Confirm My Choices
Reject All Allow All

word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word

mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1