Ransomware Roundup – 8base | FortiGuard Labs

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This edition of the Ransomware Roundup covers the 8base ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption
Severity level: High

8base Ransomware Overview

8base is a financially motivated ransomware variant most likely based on the Phobos ransomware. Per our FortiRecon information, the 8base ransomware first appeared in May 2023.

Infection Vector

FortiGuard Labs has observed SmokeLoader variants delivering the 8base ransomware. Such SmokeLoader samples include bab3c87cac6db1700f0a0babaa31f5cd544961d1b9ec03fd8bcdeff837fc9755 and ea6adefdd2be00d0c7072a9abe188ba9b0c9a75fa57f13a654caeaaf4c3f5fbc. The 8base ransomware may also rely on other distribution methods.

Victimology

According to data collected through Fortinet’s FortiRecon service, the 8base ransomware has targeted multiple industry verticals (Figure 2). The ransomware most impacted business services, followed by the manufacturing and construction sectors.

When victim organizations are ranked according to country (Figure 3), the United States leads by a wide margin.

8base Ransomware Attack Method

Once the ransomware is executed, it looks for files to encrypt. It skips files if the filename contains one of the following strings:

info.hta (ransom note)

info.txt (ransom note)

boot.ini

bootfont.bin

ntldr

ntdetect.com

io.sys

recov

It also avoids the following folders:

  • C:Windows
  • C:ProgramDataMicrosoftWindowsCaches

The ransomware avoids encrypting files inside the Caches folder, most likely because doing so may lead to software problems.

It also tries to kill the following processes before encrypting files:

msftesql.exe

sqlagent.exe

sqlbrowser.exe

sqlservr.exe

sqlwriter.exe

oracle.exe

ocssd.exe

dbsnmp.exe

synctime.exe

agntsvc.exe

mydesktopqos.exe

isqlplussvc.exe

xfssvccon.exe

mydesktopservice.exe

ocautoupds.exe

agntsvc.exe

agntsvc.exe

agntsvc.exe

encsvc.exe

firefoxconfig.exe

tbirdconfig.exe

ocomm.exe

mysqld.exe

mysqld-nt.exe

mysqld-opt.exe

dbeng50.exe

sqbcoreservice.exe

excel.exe

infopath.exe

msaccess.exe

mspub.exe

onenote.exe

outlook.exe

powerpnt.exe

steam.exe

thebat.exe

thebat64.exe

thunderbird.exe

visio.exe

winword.exe

wordpad.exe

Killing these processes ensures that any files open in them, such as MS Office files, will be closed so the ransomware can encrypt them.

The 8base ransomware also checks for file size, with a threshold set at 1.5MB. The ransomware fully encrypts files smaller than 1.5MB. On the other hand, it partially encrypts files larger than 1.5MB, most likely to increase the encryption speed. The encryption speed is often a subject of competition among ransomware developers because they want to encrypt as many files as possible before the victim becomes aware of the infection. To elaborate a bit, the ransomware injects blocks comprised of 0x40000 null bytes into various parts of the final output/encrypted file, starting at the beginning of the file. It also encrypts the last 0xC0000 bytes (with additional encrypted metadata) and may leave other parts of the file unencrypted.

The ransomware then uses AES to encrypt any target files discovered and adds a file extension that includes the attacker’s contact email address “.id[unique ID assigned to the victim].[removed@rexsdata.pro].8base”.

In the middle of November 2023, we came across a different version of the 8base ransomware (SHA2: 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f). This variant is written in C instead of the .NET used in older variants. This recent 8base ransomware variant excludes the same files and folders from file encryption, but after encrypting files, it displays a significantly longer ransom note than the one used in the .NET variants. The ransom note includes a contact email address and a TOR data leak site address not included in previous ransom notes. It also adds a new file extension to the files it encrypts, “.id[unique ID assigned to the victim].[recovery8files@(removed).org].8base”.

Data Leak Site

The 8base ransomware group owns a TOR site where victims can contact the threat actor. The stolen information was released through various file storage/sharing services such as Gofile, Pixeldrain, files.dp.ua, AnonFiles, Anonym File, and Mega.

The 8base ransomware TOR site includes a victim list, contact form, FAQ, and terms of service.

Fortinet Protections

Fortinet customers are already protected from this malware variant through our AntiVirus and FortiEDR services, as follows:

FortiGuard Labs detects the 8base ransomware samples with the following AV signatures:

  • MSIL/Agent.LVF01F!tr
  • MSIL/Agent.MZV!tr.dldr
  • MSIL/Agent.OBG!tr
  • MSIL/Agent.OXE!tr.dldr
  • MSIL/Agent.PJK!tr.dldr
  • MSIL/Agent.POB!tr.dldr
  • MSIL/Agent.POG!tr.dldr
  • MSIL/Agent.POQ!tr.dldr
  • MSIL/Agent.PQI!tr.dldr
  • MSIL/Agent.PQW!tr.dldr
  • MSIL/Agent.PRI!tr.dldr
  • MSIL/Agent.PSL!tr.dldr
  • MSIL/Generik.BZNYUMT!tr
  • MSIL/GenKryptik.GFFH!tr
  • MSIL/GenKryptik.GJPU
  • MSIL/GenKryptik.GLEY!tr
  • MSIL/GenKryptik.GMQR!tr
  • MSIL/GenKryptik.GPJK!tr
  • MSIL/Kryptik.AJEE!tr
  • MSIL/Kryptik.AJJC!tr
  • MSIL/Kryptik.AJOO!tr
  • MSIL/Kryptik.AJOW!tr.ransom
  • MSIL/Kryptik.AJPE!tr
  • MSIL/Kryptik.AJPT!tr
  • MSIL/Kryptik.AJTY!tr
  • MSIL/Kryptik.AJVN!tr
  • MSIL/Kryptik.AJWN!tr
  • MSIL/Kryptik.AJWZ!tr
  • MSIL/Kryptik.BMG!tr
  • W32/FilecoderPhobos.C!tr.ransom
  • W32/GenKryptik.ERHN!tr
  • W32/Kryptik.HTXE!tr
  • W32/Kryptik.HUBC!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

IOCs

8base Ransomware File IOCs

SHA2

30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971

45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f

b3725e7f3a53ea398fd0136e63c9c11d8c1addc778eece2ce1ac2ca2fc9cd238

c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec

4e4c154f0500990e897ca9650eafd3c6255ba4df3b4bc620c6ba27b718278392

159fa561bf9069418c5b2a33525ee12b16385f96680890a285d401b9f6781643

7e18ff461e3fc159c9b6634c9250600ea4c62da604885697c95d9bac794109b8

482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52

49699985414185b85cdf0a0292dfd1fb0e7b0b4925daa165351efed6e348335a

2cfd30a7982b90be60f83fe5f4132999ac50d0d63d9681d8d50c3c8271faa34b

8f60d17bbaefd66fe94d34ea3262a1e94b0f8f0702c437d19d3e292c72f1cedc

274c6ea98df4de5fc99661b0af876c3556c8a9125697efa3cbdc6fa81b80395d

427ac2bb816309c11b12c895787c862017d5725ed7de137b5eb10c03e89c0b8c

518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74

88f6a6455f92255a189526e36aeb581c95c28dc5e26357e7667f871444a336ba

fa620f37539b2c7e53d4c06de1b680d0eab5c3a5280b89d1700e014bfd320519

b3e80316dc1e01af60bcea7218ab5ebfe81432643d29ab46b22e3b11658606d5

03666df8dd1cd6f9e05e28a0660223d514351e05a8c61179f59e9e2c5e10d471

4fd3f6a16bccb7c9d4631241b6f8ebe58515fa2c593e4c938939492615869432

8c46f85644793051b8966d2edeeccdb8416aa04289dc0803d8da90fe6c98014c

abc4e3744b5a6b6ca367b81dabc9ff13d509d0bb5b4be6daa7d5419c57e5ea4b

2a270618cf65fcfb6476269b7c7bdbae84552d15a3da3e8907425e20ace4548a

01b2ec8085dace807c190f3f26d5e5ce45be0c0ecbd9c944303a36f323272226

d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

0c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75

f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f

f595f91a9966808cc85d11981e66e98043af9aeaaaa3893ef058b9a79c474f17

aedbddbf7494baaaf759a720d9cd17540d3c171b9cc52a02e0ef9a592bd9cd63

698b2a9cf9ce16f1cb5cff4576e902888cb14db7414b8e6ac4eb728f8c87d209

9f67b6057e5b5dc4b2ec3b370ca3062e0bed91a934b227911af2a3de17164ee5

2673be0eb2cc75805d67cc5876b98cbbe330c73a223be23fb3b41eb447ccd1c9

3a6cfcbf9ef082d94b7a8a0050f42761e115aa3b6ff26edb6c7daf4437fe9917

0867a5d4559cb7084765944e5ab71c67629e90a5fa15e66b7b3d47059c76cb78

33c861023479ddcaea82f2daee9d0394f304d0c33ba210f4c3c53a93cf9a474c

71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

bcdf23bb2e1635cb6639895094f7115af7bc9d07f276507af291cd9b7124e135

a1ee84c3183521e345b17502b38621201ff6edb86db81debec25d58dec5ad96c

667dfdc8b8527599735d93ba94d5e9a30442db7c9e780f103fea07172ee8c740

6e591d4815d6e7ec082696f002c843c6d9155e944a99cdd7dab3db372db6a877

d26de80e8b561adcf33ab3f2fe29f22c6eaddfbe247dcf9028463214e0f87e90

54b3641fc695438be989a08a9dca9f2a5d1ed9d538cb83cb597a17480d580c39

eb24adb38f36113fe71f942596c355afd59a2e83a0663daf32ae9bb30059732c

db85c5455b1adee337cf5b6728a9a4776e3645e50d0bf7ff410e34bb710cc42a

c68d9dcd8a3038bfe7c6c008149c8792b6033e6249286e4692e16dcb2bd90d41

05c29b528fccf8c2793663a6725c9bf680944ffa6a26129d7aaafd1980bd034c

a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5

2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb

9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c

91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4

d0604a3864899ac9bf0a07e47330b62a3e76b61335d6dac2e9b5a796b9fcc164

d560b84be808a9a324b995a05686237d645248369ce04069350d5b5d979d8365

fd59543a425d2159dfadba8efd4d40178b609ef123a8bc5cf00fe3afef95623d

25d4ec23c3618c7bdbef717c9ded9f7da560b3eb13d8d20f958fe3fbe5a1e37b

97a4d094f86b757b3fb0e189f2843a7af8d0ec43f9805214e89992528e83b5d7

f709d1f84e4f0a845ebb4a9fb1500aa2a9fd600e97cbea32ffc3e49c1084f467

a8d2d0ceaaf6685644b228a767ea6299ea2968f7cae79dd36abf4225b8593fdd

8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763

fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6

790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198

454f9058a9fd9c266782389850d6142a0d04ce9d8042bc069ccd8d90d60be6d5

32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964

3cb4c0f6430f5216818c3438a18c96e7dcf5080129c9eea3f50735811c3e85eb

9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf

681f180735ec833997bea4eb26c58f9c2e39980cd0a351e0b5cd99c502b33ae8

917f2b461c860f2ee8aed1147094b9273931bb9ee8040d609a485ec150dc3ec0

9f40b69060a52731107baec84a0c0f8a1bfc1a62e8471b9cd69509aade9cb7f1

d4cb20dba15d88c38c35be69fe04538b4f9bb0a12edb51ff23c0171b584edf08

f9805be70bc5c750e01a82742a66e6ffa9ade0ba2f80a97cadbb8fcaeb60dda7

4b891c6c3520d1d81e083f72d7ee9c92870ac6633f1f8419b2f50b4f90681ed6

78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce

e98c033e303e64af465b7d41d779a3780708c97822a6ebb7cf6ff3db64bc3416

2a50a42d3c44e6e3890a53228cb84f6fdb17e38b31422c68b8634a06d36cc324

104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a

96a3909ca8917c14a7bd36839dd5abf5c9df9f69b314158e0110365113acf4bb

356799503f195db260e08a81d42a431b4ebd47cef94eddc96f24a0fd3e49d716

15c9373bc7a1cc990d6caa0f3262f6c4adeff93337f642f752b64947ae50cec9

3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

45dcbfbb139c81af47b6953482c2d146f5192054c29a2343019e6f1d30912ff4

6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

505bc570566804139166c0f12ea773d1c459682cc13cfca823b2ddfbd48cd2e2

00e6061a54e469f6c957eda96a0267efded5f8a6a8d4006ea74ded74df5eb703

32b815ce14e6606e53b1ddaf39900c91f126e1d9ce9c5cab2fe825d6b2fa74d9

f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4

872ee36c064f5d9e7df3e5495c7de6aba4b26856556ba2ac124cdbb02693aa02

52661e5c4f8503541a5f361cfa8e4518f852907365e23fdfcc8472fea67df12b

408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c

8113218903975b81b22049796f201e06638595d2f6fadd82da06817bfbce85d7

281481eb8f1579206e55232754f47587a61bbe1460fc1f3b06157f31d214a290

c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30

89c65668def919cdf677df2774c5646540fee498031f7ecd5c7a6be7b62e9953

SmokeLoader File IOCs

SHA2

bab3c87cac6db1700f0a0babaa31f5cd544961d1b9ec03fd8bcdeff837fc9755

ea6adefdd2be00d0c7072a9abe188ba9b0c9a75fa57f13a654caeaaf4c3f5fbc

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

FortiRecon is a SaaS based Digital Risk Prevention Service backed by cybersecurity experts to provide unrivaled threat intelligence on the latest threat actor activity across the dark web, providing a rich understanding of threat actors’ motivations and TTPs. The service can detect evidence of attacks in progress allowing customers to rapidly respond to and shut down active threats.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Additionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-8base