Cybersecurity Snapshots - 8Base Ransomware Group

By aekwall 

According to security researchers at WithSecure, 8Base, Alphv/BlackCat, Clop, LockBit, and Play accounted for over half of data leaks in the first nine months of 2023. Security researchers noted that the leak site associated with 8Base contains posts back to March 2022, which indicates they emerged in 2022. It is interesting, however, that the group's Telegram channel was only created in May 2023. According to the Health Sector Cybersecurity Coordination Center (HC3), the group may have recently started to disclose their victims publicly. The HC3 noted that since 8Base's first known activity in March 2022, the group remained relatively quiet, with few notable attacks. However, in June 2023, the ransomware group saw a sharp increase in activity, targeting many companies in various industries, including the Healthcare and Public Health sector (HPH).

8Base mainly targets Small to Medium-sized Businesses (SMBs) based in the United States, Brazil, and the United Kingdom. Other affected countries include Australia, Germany, Canada, and China. The HC3 found that 8Base has targeted no ex-Soviet or Commonwealth of Independent States (CIS) countries. The HC3 noted that while no known correlation to Russia or other Russian-speaking RaaS groups or affiliates exists, this geographic exclusionary pattern is a hallmark for many Russian-speaking threat actors. When looking at the companies attacked by the group, the HC3 noted that most of them are SMB companies that operate in the professional services industry, such as accounting, law and legal services, and business services. Apart from professional services, companies operating in the fields of manufacturing, construction, finance, insurance, and healthcare industries are also targeted.

Regarding the technical details of the group, 8Base ransomware payloads will enumerate all available local drives, encrypting standard data file extensions rapidly and efficiently using AES256 in CBC mode. The HC3 noted that any attached share or drive volume will be subject to the encryption process. Once encrypted, files will have the .8base extension appended to them, sometimes accompanied by the victim ID and attacker email address. The HC3 noted that local firewall rules will be modified to allow the threat actor to evade Windows Defender's Advanced Firewall capabilities. The ransomware will attempt to remove Volume Shadow Copies (VSS), and payloads have been observed attempting either one or both of these methods: WMIC and VSSADMIN. In addition, BCDEDIT.EXE is used to modify the infected host's startup policy, disabling recovery mode and related features. The HC3 noted that persistence is achieved via entries in the Windows Startup folder and in the registry. 8Base ransom notes are written to affected folders as both text and .HTA files.

According to the HC3, detecting 8Base ransomware requires a combination of technical and operational measures designed to identify and flag suspicious activity on the network. The HC3 noted that it is essential to take a multi-layered approach, as is the case with any other ransomware. The HC3 suggests that organizations should use anti-malware software or other security tools capable of detecting and blocking known ransomware variants. Organizations should monitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or communication with known command-and-control servers. Companies should also conduct regular security audits and assessments to identify network and system vulnerabilities and to ensure that all security controls are in place and functioning properly. Educating and training employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats, is also important. Lastly, the HC3 recommends that organizations implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore it in case of an attack.

To see previous articles, please visit the Cybersecurity Snapshots Archive

Submitted by Gregory Rigby on