8Base Group Launches New Variant of Phobos Ransomware through SmokeLoader

The 8Base ransomware group is conducting its cyber attacks using a modified version of the Phobos ransomware, according to recent insights from Cisco Talos. This uptick in 8Base's activities, mainly driven by financial motives, has been observed since the group's emergence in early 2023.

Cisco Talos's security researcher, Guilherme Venere, in a detailed two-part report, noted that 8Base primarily distributes its ransomware through SmokeLoader, a well-known backdoor trojan. Unlike typical deployments where SmokeLoader fetches additional payloads, in 8Base's operations, it directly carries the ransomware component within its encrypted payloads. This payload is then decrypted and executed directly in SmokeLoader’s process memory.

Initially gaining attention in mid-2023, 8Base has been active since at least March 2022. VMware Carbon Black’s analysis in June 2023 drew parallels between 8Base and RansomHouse, and also uncovered a Phobos ransomware strain utilizing the ".8base" file extension for its encrypted files. This discovery suggested that 8Base might be either an evolution of Phobos or that its operators are repurposing existing ransomware for their attacks, similar to the tactics of the Vice Society ransomware group.

Cisco Talos’s findings further detail how SmokeLoader is used to launch the Phobos ransomware. This involves several steps like establishing persistence on the victim’s system, terminating processes to free up target files, disabling system recovery, and erasing backups and shadow copies. A distinctive feature of this ransomware is its approach to file encryption: it fully encrypts files smaller than 1.5 MB and partially encrypts larger ones to expedite the process.

Additionally, the ransomware carries a comprehensive configuration with over 70 settings, encrypted with a fixed key. This configuration includes advanced features such as bypassing User Account Control (UAC) and notifying an external URL about the infection. The ransomware also uses a hard-coded RSA key to safeguard the AES key used for encrypting files. Talos points out that knowing the corresponding private RSA key could potentially allow for the decryption of files impacted by any Phobos variant since 2019.

"Each file, once encrypted, has the key used for its encryption, along with other metadata, secured using RSA-1024 with a hardcoded public key and appended to the file's end," Venere explained. "However, this also implies that decrypting files encrypted by any Phobos variant since 2019 could be feasible once the private RSA key is obtained."

Phobos ransomware, which first surfaced in 2019, is a derivative of the Dharma (Crysis) ransomware. It primarily manifests through variations like Eking, Eight, Elbie, Devos, and Faust, as per the substantial number of artifacts found on VirusTotal.

“These samples, essentially identical in source code, were designed to avoid encrypting files already locked by other Phobos affiliates, although slight configuration differences were noted depending on the variant used,” stated Guilherme Venere from Cisco Talos. “This is evident from a file extension block list in each ransomware's configuration.”

Cisco Talos deduces that Phobos operates under a centralized control, sold as a Ransomware-as-a-Service (RaaS) to various affiliates. This conclusion is based on the consistent RSA public key usage, diverse contact emails, and regular updates to the ransomware’s extension block lists.

“The changing extension block lists in numerous Phobos samples suggest an ongoing update, reflecting newly targeted files in prior Phobos campaigns. This supports the notion of a central figure overseeing the ransomware's deployment, possibly to avoid operational overlap among Phobos affiliates,” explained Venere.

In related developments, FalconFeeds reported that a sophisticated ransomware named UBUD is being marketed. Developed in C, it features advanced evasion techniques against virtual machines and debugging tools.

This news comes alongside a unique move by the BlackCat ransomware group, which filed a complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink. The group accused MeridianLink of not adhering to new SEC regulations that mandate companies to report cyber incidents within four business days. While MeridianLink confirmed the November 10 cyberattack, it reported no unauthorized system access.

With the SEC’s new disclosure rules effective December 18, this tactic by BlackCat underscores how cybercriminals are keenly observing regulatory changes, potentially using them to pressure victims into paying ransoms.

LockBit, another major ransomware group, has introduced new negotiation guidelines from October 2023. They cited suboptimal settlements and excessive discounts granted to victims due to affiliates' varied experience levels.

“LockBit suggests affiliates demand a minimum ransom based on the target company's annual revenue, like 3%, with no more than a 50% discount. For instance, if a company earns $100 million annually, the initial ransom should be at least $3 million, with a minimum final payment of $1.5 million,” the LockBit operators stated in an Analyst1 report.

For more intriguing content, follow us on Twitter and LinkedIn.