Our monitoring of ransomware events indicates that during the last weeks there has been a significant growth in instances of compromise claimed by 8base, a ransomware group emerging in 2022 yet scaling its operations from the mid-2023 onwards. In the last ten days alone, 8base claimed 17 victims, making it a growing threat in the ransomware landscape.
Victimology
Based on our monitoring, the majority of the victims are small-medium enterprises (SMEs) that, on average, have between 100 and 250 employees according to their respective LinkedIn pages.
The victimology suggests a prevalence of targets across English-speaking countries in North America (United States, Canada) and the Asia-Pacific (Australia, New Zealand). Consistent with a consolidated global trend, the United States has been the primary target. France stands out as the second most frequently targeted country, with Canada and Italy being impacted to a lower yet significant extent. The United Arab Emirates is the only impacted country outside these regions. (*)
Target Countries By Claimed Event Number (*)
USA, 28
France, 12
Italy, 7
Canada, 7
Australia, 5
Sweden, 4
Spain, 4
Luxembourg, 3
UK, 2
Switzerland, 2
Netherlands, 2
UAE, 1
Norway, 1
New Zealand, 1
Germany, 1
However, it is worth pinpointing that this trend has been emerging in recent weeks. According to a separate analysis by the United States (US) Health Sector Cybersecurity Coordinated Center (published on November 1, 2023), which takes into consideration a broader time scope, Brazil is reported to be among the primary targets. Nonetheless, it is still relevant to focus on the most recent developments in the threat landscape.
Intelligence reports indicate the way 8base selects victims is mainly opportunistic. However, our monitoring suggests there may be a rationale; 8base may be targeting specific sectors where organizations are likely to hold sensitive data pertaining to clients and partners:
In the temporal scope of our monitoring, 8base predominantly targeted businesses linked to the real estate / property management and construction segments. This trend has become more visible during the last week, when approximately 1/3 of the claimed victims are engaged in real estate. A working hypothesis is that the actor seeks access to client data, particularly personally identifiable information. These data are sensitive for security and regulatory reasons. The willingness to prevent their dissemination may pressure victims to accept the actor's demands. (**)
The manufacturing sector has been equally impacted since last November; impacted companies are mainly producers of industrial semi-components or tooling used in complex industrial and energy-related systems. This segment may be targeted due to its critical weight in the industrial supply-chain with subsequent "systemic" pressure that may be perceived by victims.
(**) On this point, as many reputable analyses claim, it is critical to remind that paying ransom is always the wrong choice; there is no actual guarantee of obtaining the exfiltrated data or recovering the encrypted files, and the victim may become a preferential target for future attacks.
Attack Chain
The 8base operation has historically targeted Windows systems via the Phobos ransomware. The infection chain attributed to 8base has been reconstructed in various pieces of analysis (including a SentinelOne profile alongside the US Health Sector Cybersecurity Coordinated Center report referenced above). The main patterns include:
Initial intrusion pursued predominantly via phishing. Malicious email attachments launch scripts that are responsible for downloading and installing an access broker, predominantly SmokeLoader.
The access broker is responsible for loading the ransomware payload which is frequently the abovementioned Phobos ransomware. The latter enumerates local files based on the standard file formats and encrypts them using the typical "8base" extension.
Evasion is achieved via tunnelling C2 traffic with the help of a proxy malware which a Proofpoint analysis dubbed "SystemBC." Additionally, the NETSH utility is used to bypass Windows Defender firewall.
The ransomware proceeds with deleting backups and preventing a system restore; the VSSADMIN utility is used to delete shadow copies, and BCDEDIT disables the ability to launch a recovery mode upon system launch.
Persistence is achieved via creating a registry-run key for the ransomware payload and including it in the Windows startup folder.
Threat Mitigation
Anti-phishing training is critical to mitigate the risk that 8base represents. Particular focus may be dedicated to counter phishing schemes that leverage malicious Microsoft Office and PDF attachments. At the same time, it is worth reminding that the actor may attempt to opportunistically exploit vulnerabilities that allow initial intrusion. For this reason, an appropriate and timely patch management remains important to reduce the actor's window of opportunity.
Monitoring of known indicators of compromise, as well as peculiar behavioral patterns. The latter may include unusual commands that may tamper with Windows Defender firewall (e.g. NETSH), or initiate network communication to C2 communication towards unusual domain names, e.g., those with top-level domain "xyz" have been frequently used as C2 in 8base events. Similarly, unusual modifications of the antivirus / endpoint detection and response software should raise particular suspicion, even though they may be consistent with behavior of malware other than ransomware.
Behavioral patterns to investigate may include file executions involving wscript.exe, cscript.exe, .VBS, .JS, .HTA files as well as PowerShell, commands downloading TXT files, or providing arguments including IEX (New-Object Net.Webclient).downloadstring.
Investigating typical persistence locations such as Startup paths and AppData.
Execution of utilities leveraged by 8base such as NETSH and VSSADMIN.
On the remediation side, maintaining properly isolated backups is essential to pursue an efficient recovery in the event of attacks.
Overlaps With Ransom House
Intelligence reports suggest a connection between 8base and Ransom House, a separate ransomware operation. In fact, 8base has been said to be a spin-off of Ransom House. The linkage between the two has been established based on the common usage of the "8base" file extension, and commonality in the ransom notes, which artificial intelligence-based algorithms scored at 99 percent.
The overlap between the two is quite apparent. Ransom House and 8base are likely to be somehow connected, potentially linked to the same cybercrime operation. Our approach has been to assess what correlations would emerge from analysis of our monitoring data. The research question we put forward in our analysis is the following - is there any pattern in the ways seemingly linked cybercrime operations leverage the 8base and Ransom House "brands"?
It is important to start from a disclaimer:
Our analysis is focused on a relatively short time scope - i.e., November 1, 2023-January 31, 2024. While data and the subsequent analysis may be influenced by this temporal scope, the data may also reflect a very recent trend. Therefore, they may be relevant in light of recent developments in the threat landscape.
In the timeframe reflected in our dataset, Ransom House claimed seven victims, a number significantly lower than the total of 80 claimed by 8base. As a result, a comparative analysis needs to take into consideration that the Ransom House data sample is much smaller than the one available for 8base.
In the timeframe we examined, in fact, we observed more differences than commonalities. The main commonality regards the organizational size of the victims. Like for 8base, all Ransom House victims were SMEs, with only one notable exception (a large financial institution). The differences are much more apparent, and include:
Expanded geographical scope; Ransom House targeted countries in regions where 8base events have not been observed, including Malaysia and the Dominican Republic.
Targeting of different sectors; the sectors impacted by Ransom House include healthcare, financial services and insurances, sectors that were impacted only minimally by 8base in the same timeframe.
A working hypothesis may be that 8base and Ransom House are in fact the same operation. But such operation may be using different "brands" depending on target sectors and geographies. This may be a tactical move enabling the cybercriminals to diversify the online presence, and maintain continuity of operations in the event of law enforcement operation against one of the two "brands." At the same time, this remains a hypothesis that requires a larger dataset to be confirmed.