8base
With its adept use of double-extortion tactics and a repertoire that includes modified variants of known ransomware like Phobos, 8Base has orchestrated significant cyber incidents, impacting numerous organizations worldwide with its relentless and evolving strategies.
The Origin of 8Base
Surfacing in April 2022, 8Base distinguishes itself with the employment of double-extortion tactics, a method that has gained traction among cybercriminals for its efficacy in exerting pressure on victims.
The origin and the full spectrum of the group's activities, methodologies, and driving motives largely remain enshrouded in mystery.
Researchers found the group to be using the Phobos ransomware variant that they modified to append '.8base' to encrypted files. There is a prevailing belief among some cybersecurity circles that 8Base's infrastructure was developed using the leaked Babuk builder—a toolset leaked from another notorious ransomware operation.
Others think it is an offshoot of RansomHouse.
Targets
8Base's Targets
Countries targeted by 8Base
8base mostly targeted companies based in the United States, Brazil and the United Kingdom.
Source: SOCRadar
Industries Targeted by 8Base
8Base focuses its attacks mainly on small and medium-sized enterprises (SMEs) spanning a range of industries.
The group demonstrates a particular interest in sectors such as business services, finance, manufacturing, and information technology.
This specific targeting might stem from the belief that companies in these fields are more likely to afford substantial ransom payments, or perhaps because the data they hold is deemed more sensitive or valuable.
Source: SOCRadar
Industries Targeted by 8Base
8Base focuses its attacks mainly on small and medium-sized enterprises (SMEs) spanning a range of industries.
The group demonstrates a particular interest in sectors such as business services, finance, manufacturing, and information technology.
This specific targeting might stem from the belief that companies in these fields are more likely to afford substantial ransom payments, or perhaps because the data they hold is deemed more sensitive or valuable.
Source: SOCRadar
8Base's Victims
To date, more than 356 victims have fallen prey to 8Base’s malicious operations.
Source: Ransomware.live
Attack Method
8Base’s Attack Method
8Base hackers often initiate their attacks by deploying phishing campaigns to deliver concealed payloads or utilizing tools like Angry IP Scanner to identify and exploit vulnerable Remote Desktop Protocol (RDP) ports.
They employ brute force attacks to access exposed RDP services, subsequently conducting research to profile their victims and establish connections with the targeted IPs.
8Base advances its control over compromised systems by executing token impersonation and theft.
This technique involves manipulating system tokens with the DuplicateToken() function, allowing the attackers to elevate their privileges discreetly.
This critical step ensures they can access more sensitive areas of the system without immediate detection.
To maintain stealth and avoid detection by security defenses, 8Base employs a couple of key strategies.
They terminate a variety of processes, targeting both commonly used applications, like MS Office, and security software, to create a more vulnerable environment for their malicious activities.
Additionally, they utilize software packing to obfuscate malicious files, specifically packing Phobos ransomware into memory, making it harder for security tools to identify and block the malware.
In the discovery phase, 8Base conducts network share discovery using the WNetEnumResource() function to methodically crawl through network resources.
This allows them to identify valuable targets and understand the network's structure, facilitating more effective lateral movement and data collection.
The impact phase is where 8Base's actions culminate in significant disruption for the victim.
They execute commands that inhibit system recovery, including deleting shadow copies, backup catalogs, and modifying boot configurations to prevent system repairs.
These actions, combined with the use of AES encryption to lock files, not only make data recovery challenging but also increase the pressure on victims to comply with ransom demands.
This phase demonstrates 8Base's ability to not just breach and navigate systems but to leave a lasting impact on the affected organizations.
Initial Access
8Base hackers often initiate their attacks by deploying phishing campaigns to deliver concealed payloads or utilizing tools like Angry IP Scanner to identify and exploit vulnerable Remote Desktop Protocol (RDP) ports.
They employ brute force attacks to access exposed RDP services, subsequently conducting research to profile their victims and establish connections with the targeted IPs.
Privilege Escalation
8Base advances its control over compromised systems by executing token impersonation and theft.
This technique involves manipulating system tokens with the DuplicateToken() function, allowing the attackers to elevate their privileges discreetly.
This critical step ensures they can access more sensitive areas of the system without immediate detection.
Defense Evasion
To maintain stealth and avoid detection by security defenses, 8Base employs a couple of key strategies.
They terminate a variety of processes, targeting both commonly used applications, like MS Office, and security software, to create a more vulnerable environment for their malicious activities.
Additionally, they utilize software packing to obfuscate malicious files, specifically packing Phobos ransomware into memory, making it harder for security tools to identify and block the malware.
Credential Access
Discovery
In the discovery phase, 8Base conducts network share discovery using the WNetEnumResource() function to methodically crawl through network resources.
This allows them to identify valuable targets and understand the network's structure, facilitating more effective lateral movement and data collection.
Lateral Movement
Collection
Execution
Exfiltration
Impact
The impact phase is where 8Base's actions culminate in significant disruption for the victim.
They execute commands that inhibit system recovery, including deleting shadow copies, backup catalogs, and modifying boot configurations to prevent system repairs.
These actions, combined with the use of AES encryption to lock files, not only make data recovery challenging but also increase the pressure on victims to comply with ransom demands.
This phase demonstrates 8Base's ability to not just breach and navigate systems but to leave a lasting impact on the affected organizations.
MITRE ATT&CK Mapping
TTPs used by 8Base
TA0001: Initial Access
T1566
Phishing
T1133
External Remote Services
TA0002: Execution
T1129
Shared Modules
T1059
Command and Scripting Interpreter
TA0003: Persistence
T1547
Boot or Logon Autostart Execution
T1053
Scheduled Task/Job
TA0004: Privilege Escalation
T1547
Boot or Logon Autostart Execution
T1053
Scheduled Task/Job
TA0005: Defense Evasion
T1497
Virtualization/Sandbox Evasion
T1222
File and Directory Permissions Modification
T1202
Indirect Command Execution
T1112
Modify Registry
T1036
Masquerading
T1070
Indicator Removal
T1564
Hide Artifacts
T1562
Impair Defenses
TA0006: Credential Access
T1056
Input Capture
T1003
OS Credential Dumping
TA0007: Discovery
T1497
Virtualization/Sandbox Evasion
T1518
Software Discovery
T1083
File and Directory Discovery
T1082
System Information Discovery
T1057
Process Discovery
TA0008: Lateral Movement
T1080
Taint Shared Content
TA0009: Collection
T1560
Archive Collected Data
T1074
Data Staged
T1005
Data from Local System
TA0011: Command and Control
T1071
Application Layer Protocol
TA0010: Exfiltration
T1041
Exfiltration Over C2 Channel
TA0040: Impact
T1490
Inhibit System Recovery
T1485
Data Destruction
Platform Detections
How to Detect 8Base with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.
FAQs
What is 8Base and how does it operate?
8Base is a ransomware group known for its aggressive extortion tactics, primarily targeting small to medium-sized businesses across various sectors.
It employs a sophisticated attack chain that includes privilege escalation, defense evasion, and data encryption to extort ransoms from its victims.
How does 8Base gain initial access to networks?
8Base typically gains initial access through phishing emails or exploit kits, using these vectors to deploy their ransomware or gain footholds in targeted systems.
What sectors are most at risk from 8Base attacks?
8Base has shown a preference for attacking businesses in the business services, finance, manufacturing, and information technology sectors, likely due to the sensitive nature of their data and their perceived ability to pay larger ransoms.
What techniques does 8Base use for privilege escalation?
8Base uses token impersonation and theft for privilege escalation, manipulating system tokens to gain higher access levels within compromised systems.
How does 8Base evade detection and defense mechanisms?
8Base employs techniques like terminating security-related processes and obfuscating malicious files through software packing to evade detection by traditional security tools.
How can organizations detect and respond to 8Base intrusions?
Organizations can enhance their detection and response capabilities by implementing an AI-driven threat detection platform which provides real-time analysis and detection of ransomware activities characteristic of groups like 8Base.
What impact does 8Base have on compromised organizations?
8Base's impact includes the encryption of sensitive files, inhibition of system recovery efforts, and potential data exfiltration, leading to operational disruption, financial loss, and reputational damage.
What are effective preventative measures against 8Base ransomware attacks?
Effective measures include regular data backups, employee training on phishing awareness, timely patching of vulnerabilities, and deploying advanced security solutions capable of detecting and mitigating ransomware activities.
Can 8Base be linked to any other ransomware groups or activities?
There is speculation that 8Base may have ties to or may have evolved from other ransomware groups like RansomHouse, based on similarities in their operational tactics and verbal communication styles.
What tools or strategies can cybersecurity professionals use to investigate 8Base incidents?
Cybersecurity professionals can leverage forensic analysis tools, threat intelligence platforms, and AI-driven security solutions to investigate incidents, uncover attack vectors, and identify indicators of compromise (IOCs) related to 8Base activities.