Ransomware Group

8base

With its adept use of double-extortion tactics and a repertoire that includes modified variants of known ransomware like Phobos, 8Base has orchestrated significant cyber incidents, impacting numerous organizations worldwide with its relentless and evolving strategies.

Is Your Organization Safe from 8Base Ransomware Attacks?

The Origin of 8Base

Surfacing in April 2022, 8Base distinguishes itself with the employment of double-extortion tactics, a method that has gained traction among cybercriminals for its efficacy in exerting pressure on victims.  

The origin and the full spectrum of the group's activities, methodologies, and driving motives largely remain enshrouded in mystery.

Researchers found the group to be using the Phobos ransomware variant that they modified to append '.8base' to encrypted files. There is a prevailing belief among some cybersecurity circles that 8Base's infrastructure was developed using the leaked Babuk builder—a toolset leaked from another notorious ransomware operation.

Others think it is an offshoot of RansomHouse.

Source: SOCRadar, VMware

Targets

8Base's Targets

Countries targeted by 8Base

8base mostly targeted companies based in the United States, Brazil and the United Kingdom.

Source: SOCRadar

Industries Targeted by 8Base

8Base focuses its attacks mainly on small and medium-sized enterprises (SMEs) spanning a range of industries.  

The group demonstrates a particular interest in sectors such as business services, finance, manufacturing, and information technology.

This specific targeting might stem from the belief that companies in these fields are more likely to afford substantial ransom payments, or perhaps because the data they hold is deemed more sensitive or valuable.

Source: SOCRadar

Industries Targeted by 8Base

8Base focuses its attacks mainly on small and medium-sized enterprises (SMEs) spanning a range of industries.  

The group demonstrates a particular interest in sectors such as business services, finance, manufacturing, and information technology.

This specific targeting might stem from the belief that companies in these fields are more likely to afford substantial ransom payments, or perhaps because the data they hold is deemed more sensitive or valuable.

Source: SOCRadar

8Base's Victims

To date, more than 356 victims have fallen prey to 8Base’s malicious operations.

Source: Ransomware.live

Demo

See How Vectra AI Detects a Ransomware Attack

TTPs & Tools

8Base’s Attack Method

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

8Base hackers often initiate their attacks by deploying phishing campaigns to deliver concealed payloads or utilizing tools like Angry IP Scanner to identify and exploit vulnerable Remote Desktop Protocol (RDP) ports.

They employ brute force attacks to access exposed RDP services, subsequently conducting research to profile their victims and establish connections with the targeted IPs.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

8Base advances its control over compromised systems by executing token impersonation and theft.

This technique involves manipulating system tokens with the DuplicateToken() function, allowing the attackers to elevate their privileges discreetly.

This critical step ensures they can access more sensitive areas of the system without immediate detection.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

To maintain stealth and avoid detection by security defenses, 8Base employs a couple of key strategies.

They terminate a variety of processes, targeting both commonly used applications, like MS Office, and security software, to create a more vulnerable environment for their malicious activities.

Additionally, they utilize software packing to obfuscate malicious files, specifically packing Phobos ransomware into memory, making it harder for security tools to identify and block the malware.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.
A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

In the discovery phase, 8Base conducts network share discovery using the WNetEnumResource() function to methodically crawl through network resources.

This allows them to identify valuable targets and understand the network's structure, facilitating more effective lateral movement and data collection.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.
A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.
A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

The impact phase is where 8Base's actions culminate in significant disruption for the victim.

They execute commands that inhibit system recovery, including deleting shadow copies, backup catalogs, and modifying boot configurations to prevent system repairs.

These actions, combined with the use of AES encryption to lock files, not only make data recovery challenging but also increase the pressure on victims to comply with ransom demands.

This phase demonstrates 8Base's ability to not just breach and navigate systems but to leave a lasting impact on the affected organizations.

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.
Initial Access

8Base hackers often initiate their attacks by deploying phishing campaigns to deliver concealed payloads or utilizing tools like Angry IP Scanner to identify and exploit vulnerable Remote Desktop Protocol (RDP) ports.

They employ brute force attacks to access exposed RDP services, subsequently conducting research to profile their victims and establish connections with the targeted IPs.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.
Privilege Escalation

8Base advances its control over compromised systems by executing token impersonation and theft.

This technique involves manipulating system tokens with the DuplicateToken() function, allowing the attackers to elevate their privileges discreetly.

This critical step ensures they can access more sensitive areas of the system without immediate detection.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.
Defense Evasion

To maintain stealth and avoid detection by security defenses, 8Base employs a couple of key strategies.

They terminate a variety of processes, targeting both commonly used applications, like MS Office, and security software, to create a more vulnerable environment for their malicious activities.

Additionally, they utilize software packing to obfuscate malicious files, specifically packing Phobos ransomware into memory, making it harder for security tools to identify and block the malware.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.
Credential Access
A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.
Discovery

In the discovery phase, 8Base conducts network share discovery using the WNetEnumResource() function to methodically crawl through network resources.

This allows them to identify valuable targets and understand the network's structure, facilitating more effective lateral movement and data collection.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.
Lateral Movement
A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
Collection
A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
Execution
A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.
Exfiltration
A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.
Impact

The impact phase is where 8Base's actions culminate in significant disruption for the victim.

They execute commands that inhibit system recovery, including deleting shadow copies, backup catalogs, and modifying boot configurations to prevent system repairs.

These actions, combined with the use of AES encryption to lock files, not only make data recovery challenging but also increase the pressure on victims to comply with ransom demands.

This phase demonstrates 8Base's ability to not just breach and navigate systems but to leave a lasting impact on the affected organizations.

MITRE ATT&CK Mapping

TTPs used by 8Base

TA0001: Initial Access
T1566
Phishing
T1133
External Remote Services
TA0002: Execution
T1129
Shared Modules
T1059
Command and Scripting Interpreter
TA0003: Persistence
T1547
Boot or Logon Autostart Execution
T1053
Scheduled Task/Job
TA0004: Privilege Escalation
T1547
Boot or Logon Autostart Execution
T1053
Scheduled Task/Job
TA0005: Defense Evasion
T1497
Virtualization/Sandbox Evasion
T1222
File and Directory Permissions Modification
T1202
Indirect Command Execution
T1112
Modify Registry
T1036
Masquerading
T1070
Indicator Removal
T1564
Hide Artifacts
T1562
Impair Defenses
TA0006: Credential Access
T1056
Input Capture
T1003
OS Credential Dumping
TA0007: Discovery
T1497
Virtualization/Sandbox Evasion
T1518
Software Discovery
T1083
File and Directory Discovery
T1082
System Information Discovery
T1057
Process Discovery
TA0008: Lateral Movement
T1080
Taint Shared Content
TA0009: Collection
T1560
Archive Collected Data
T1074
Data Staged
T1005
Data from Local System
TA0011: Command and Control
T1071
Application Layer Protocol
TA0010: Exfiltration
T1041
Exfiltration Over C2 Channel
TA0040: Impact
T1490
Inhibit System Recovery
T1485
Data Destruction
Platform Detections

How to Detect 8Base with Vectra AI

List of the Detections available in the  Vectra AI Platform that would indicate a ransomware attack.

FAQs

What is 8Base and how does it operate?

8Base is a ransomware group known for its aggressive extortion tactics, primarily targeting small to medium-sized businesses across various sectors.

It employs a sophisticated attack chain that includes privilege escalation, defense evasion, and data encryption to extort ransoms from its victims.

How does 8Base gain initial access to networks?

8Base typically gains initial access through phishing emails or exploit kits, using these vectors to deploy their ransomware or gain footholds in targeted systems.

What sectors are most at risk from 8Base attacks?

8Base has shown a preference for attacking businesses in the business services, finance, manufacturing, and information technology sectors, likely due to the sensitive nature of their data and their perceived ability to pay larger ransoms.

What techniques does 8Base use for privilege escalation?

8Base uses token impersonation and theft for privilege escalation, manipulating system tokens to gain higher access levels within compromised systems.

How does 8Base evade detection and defense mechanisms?

8Base employs techniques like terminating security-related processes and obfuscating malicious files through software packing to evade detection by traditional security tools.

How can organizations detect and respond to 8Base intrusions?

Organizations can enhance their detection and response capabilities by implementing an AI-driven threat detection platform which provides real-time analysis and detection of ransomware activities characteristic of groups like 8Base.

What impact does 8Base have on compromised organizations?

8Base's impact includes the encryption of sensitive files, inhibition of system recovery efforts, and potential data exfiltration, leading to operational disruption, financial loss, and reputational damage.

What are effective preventative measures against 8Base ransomware attacks?

Effective measures include regular data backups, employee training on phishing awareness, timely patching of vulnerabilities, and deploying advanced security solutions capable of detecting and mitigating ransomware activities.

Can 8Base be linked to any other ransomware groups or activities?

There is speculation that 8Base may have ties to or may have evolved from other ransomware groups like RansomHouse, based on similarities in their operational tactics and verbal communication styles.

What tools or strategies can cybersecurity professionals use to investigate 8Base incidents?

Cybersecurity professionals can leverage forensic analysis tools, threat intelligence platforms, and AI-driven security solutions to investigate incidents, uncover attack vectors, and identify indicators of compromise (IOCs) related to 8Base activities.