On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This edition of the Ransomware Roundup covers the 8base ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption
Severity level: High
8base Ransomware Overview
8base is a financially motivated ransomware variant most likely based on the Phobos ransomware. Per our FortiRecon information, the 8base ransomware first appeared in May 2023.
Figure 1: Observed 8base ransomware incidents (source: FortiRecon)
Infection Vector
FortiGuard Labs has observed SmokeLoader variants delivering the 8base ransomware. Such SmokeLoader samples include bab3c87cac6db1700f0a0babaa31f5cd544961d1b9ec03fd8bcdeff837fc9755 and ea6adefdd2be00d0c7072a9abe188ba9b0c9a75fa57f13a654caeaaf4c3f5fbc. The 8base ransomware may also rely on other distribution methods.
Victimology
According to data collected through Fortinet’s FortiRecon service, the 8base ransomware has targeted multiple industry verticals (Figure 2). The ransomware most impacted business services, followed by the manufacturing and construction sectors.
When victim organizations are ranked according to country (Figure 3), the United States leads by a wide margin.
Figure 2: Top sectors targeted by the 8base ransomware (source: FortiRecon)
Figure 3: Top country victimized by the 8base ransomware (source: FortiRecon)
8base Ransomware Attack Method
Once the ransomware is executed, it looks for files to encrypt. It skips files if the filename contains one of the following strings:
info.hta (ransom note) | info.txt (ransom note) | boot.ini | bootfont.bin |
ntldr | ntdetect.com | io.sys | recov |
It also avoids the following folders:
- C:\\Windows
- C:\\ProgramData\\Microsoft\\Windows\\Caches
The ransomware avoids encrypting files inside the Caches folder, most likely because doing so may lead to software problems.
It also tries to kill the following processes before encrypting files:
msftesql.exe | sqlagent.exe | sqlbrowser.exe | sqlservr.exe |
sqlwriter.exe | oracle.exe | ocssd.exe | dbsnmp.exe |
synctime.exe | agntsvc.exe | mydesktopqos.exe | isqlplussvc.exe |
xfssvccon.exe | mydesktopservice.exe | ocautoupds.exe | agntsvc.exe |
agntsvc.exe | agntsvc.exe | encsvc.exe | firefoxconfig.exe |
tbirdconfig.exe | ocomm.exe | mysqld.exe | mysqld-nt.exe |
mysqld-opt.exe | dbeng50.exe | sqbcoreservice.exe | excel.exe |
infopath.exe | msaccess.exe | mspub.exe | onenote.exe |
outlook.exe | powerpnt.exe | steam.exe | thebat.exe |
thebat64.exe | thunderbird.exe | visio.exe | winword.exe |
wordpad.exe |
Killing these processes ensures that any files open in them, such as MS Office files, will be closed so the ransomware can encrypt them.
The 8base ransomware also checks for file size, with a threshold set at 1.5MB. The ransomware fully encrypts files smaller than 1.5MB. On the other hand, it partially encrypts files larger than 1.5MB, most likely to increase the encryption speed. The encryption speed is often a subject of competition among ransomware developers because they want to encrypt as many files as possible before the victim becomes aware of the infection. To elaborate a bit, the ransomware injects blocks comprised of 0x40000 null bytes into various parts of the final output/encrypted file, starting at the beginning of the file. It also encrypts the last 0xC0000 bytes (with additional encrypted metadata) and may leave other parts of the file unencrypted.
Figure 4: File size check done by the 8base ransomware
The ransomware then uses AES to encrypt any target files discovered and adds a file extension that includes the attacker’s contact email address “.id[unique ID assigned to the victim].[removed@rexsdata.pro].8base”.
Figure 5: The 8base ransomware ransom note
Figure 6: Text version of the 8base ransomware ransom note.
In the middle of November 2023, we came across a different version of the 8base ransomware (SHA2: 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f). This variant is written in C instead of the .NET used in older variants. This recent 8base ransomware variant excludes the same files and folders from file encryption, but after encrypting files, it displays a significantly longer ransom note than the one used in the .NET variants. The ransom note includes a contact email address and a TOR data leak site address not included in previous ransom notes. It also adds a new file extension to the files it encrypts, “.id[unique ID assigned to the victim].[recovery8files@(removed).org].8base”.
Figure 7: Ransom note displayed by the 8base ransomware variant discovered in November
Figure 8: Text version of the ransomware note dropped by the recent 8base ransomware variant
Data Leak Site
The 8base ransomware group owns a TOR site where victims can contact the threat actor. The stolen information was released through various file storage/sharing services such as Gofile, Pixeldrain, files.dp.ua, AnonFiles, Anonym File, and Mega.
The 8base ransomware TOR site includes a victim list, contact form, FAQ, and terms of service.
Figure 9: Top page of the 8base ransomware TOR site
Figure 10. The 8base ransomware TOR site where victims can get in touch with the attacker
Figure 11. FAQ page of the 8base ransomware TOR site
Figure 12. Rules page of the 8base ransomware TOR site
Fortinet Protections
Fortinet customers are already protected from this malware variant through our AntiVirus and FortiEDR services, as follows:
FortiGuard Labs detects the 8base ransomware samples with the following AV signatures:
- MSIL/Agent.LVF01F!tr
- MSIL/Agent.MZV!tr.dldr
- MSIL/Agent.OBG!tr
- MSIL/Agent.OXE!tr.dldr
- MSIL/Agent.PJK!tr.dldr
- MSIL/Agent.POB!tr.dldr
- MSIL/Agent.POG!tr.dldr
- MSIL/Agent.POQ!tr.dldr
- MSIL/Agent.PQI!tr.dldr
- MSIL/Agent.PQW!tr.dldr
- MSIL/Agent.PRI!tr.dldr
- MSIL/Agent.PSL!tr.dldr
- MSIL/Generik.BZNYUMT!tr
- MSIL/GenKryptik.GFFH!tr
- MSIL/GenKryptik.GJPU
- MSIL/GenKryptik.GLEY!tr
- MSIL/GenKryptik.GMQR!tr
- MSIL/GenKryptik.GPJK!tr
- MSIL/Kryptik.AJEE!tr
- MSIL/Kryptik.AJJC!tr
- MSIL/Kryptik.AJOO!tr
- MSIL/Kryptik.AJOW!tr.ransom
- MSIL/Kryptik.AJPE!tr
- MSIL/Kryptik.AJPT!tr
- MSIL/Kryptik.AJTY!tr
- MSIL/Kryptik.AJVN!tr
- MSIL/Kryptik.AJWN!tr
- MSIL/Kryptik.AJWZ!tr
- MSIL/Kryptik.BMG!tr
- W32/FilecoderPhobos.C!tr.ransom
- W32/GenKryptik.ERHN!tr
- W32/Kryptik.HTXE!tr
- W32/Kryptik.HUBC!tr
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.
IOCs
8base Ransomware File IOCs
SHA2 |
30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971 |
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f |
b3725e7f3a53ea398fd0136e63c9c11d8c1addc778eece2ce1ac2ca2fc9cd238 |
c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec |
4e4c154f0500990e897ca9650eafd3c6255ba4df3b4bc620c6ba27b718278392 |
159fa561bf9069418c5b2a33525ee12b16385f96680890a285d401b9f6781643 |
7e18ff461e3fc159c9b6634c9250600ea4c62da604885697c95d9bac794109b8 |
482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52 |
49699985414185b85cdf0a0292dfd1fb0e7b0b4925daa165351efed6e348335a |
2cfd30a7982b90be60f83fe5f4132999ac50d0d63d9681d8d50c3c8271faa34b |
8f60d17bbaefd66fe94d34ea3262a1e94b0f8f0702c437d19d3e292c72f1cedc |
274c6ea98df4de5fc99661b0af876c3556c8a9125697efa3cbdc6fa81b80395d |
427ac2bb816309c11b12c895787c862017d5725ed7de137b5eb10c03e89c0b8c |
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c |
3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74 |
88f6a6455f92255a189526e36aeb581c95c28dc5e26357e7667f871444a336ba |
fa620f37539b2c7e53d4c06de1b680d0eab5c3a5280b89d1700e014bfd320519 |
b3e80316dc1e01af60bcea7218ab5ebfe81432643d29ab46b22e3b11658606d5 |
03666df8dd1cd6f9e05e28a0660223d514351e05a8c61179f59e9e2c5e10d471 |
4fd3f6a16bccb7c9d4631241b6f8ebe58515fa2c593e4c938939492615869432 |
8c46f85644793051b8966d2edeeccdb8416aa04289dc0803d8da90fe6c98014c |
abc4e3744b5a6b6ca367b81dabc9ff13d509d0bb5b4be6daa7d5419c57e5ea4b |
2a270618cf65fcfb6476269b7c7bdbae84552d15a3da3e8907425e20ace4548a |
01b2ec8085dace807c190f3f26d5e5ce45be0c0ecbd9c944303a36f323272226 |
d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7 |
0c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75 |
f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f |
f595f91a9966808cc85d11981e66e98043af9aeaaaa3893ef058b9a79c474f17 |
aedbddbf7494baaaf759a720d9cd17540d3c171b9cc52a02e0ef9a592bd9cd63 |
698b2a9cf9ce16f1cb5cff4576e902888cb14db7414b8e6ac4eb728f8c87d209 |
9f67b6057e5b5dc4b2ec3b370ca3062e0bed91a934b227911af2a3de17164ee5 |
2673be0eb2cc75805d67cc5876b98cbbe330c73a223be23fb3b41eb447ccd1c9 |
3a6cfcbf9ef082d94b7a8a0050f42761e115aa3b6ff26edb6c7daf4437fe9917 |
0867a5d4559cb7084765944e5ab71c67629e90a5fa15e66b7b3d47059c76cb78 |
33c861023479ddcaea82f2daee9d0394f304d0c33ba210f4c3c53a93cf9a474c |
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9 |
bcdf23bb2e1635cb6639895094f7115af7bc9d07f276507af291cd9b7124e135 |
a1ee84c3183521e345b17502b38621201ff6edb86db81debec25d58dec5ad96c |
667dfdc8b8527599735d93ba94d5e9a30442db7c9e780f103fea07172ee8c740 |
6e591d4815d6e7ec082696f002c843c6d9155e944a99cdd7dab3db372db6a877 |
d26de80e8b561adcf33ab3f2fe29f22c6eaddfbe247dcf9028463214e0f87e90 |
54b3641fc695438be989a08a9dca9f2a5d1ed9d538cb83cb597a17480d580c39 |
eb24adb38f36113fe71f942596c355afd59a2e83a0663daf32ae9bb30059732c |
db85c5455b1adee337cf5b6728a9a4776e3645e50d0bf7ff410e34bb710cc42a |
c68d9dcd8a3038bfe7c6c008149c8792b6033e6249286e4692e16dcb2bd90d41 |
05c29b528fccf8c2793663a6725c9bf680944ffa6a26129d7aaafd1980bd034c |
a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5 |
2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb |
9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c |
91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4 |
d0604a3864899ac9bf0a07e47330b62a3e76b61335d6dac2e9b5a796b9fcc164 |
d560b84be808a9a324b995a05686237d645248369ce04069350d5b5d979d8365 |
fd59543a425d2159dfadba8efd4d40178b609ef123a8bc5cf00fe3afef95623d |
25d4ec23c3618c7bdbef717c9ded9f7da560b3eb13d8d20f958fe3fbe5a1e37b |
97a4d094f86b757b3fb0e189f2843a7af8d0ec43f9805214e89992528e83b5d7 |
f709d1f84e4f0a845ebb4a9fb1500aa2a9fd600e97cbea32ffc3e49c1084f467 |
a8d2d0ceaaf6685644b228a767ea6299ea2968f7cae79dd36abf4225b8593fdd |
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7 |
c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763 |
fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6 |
790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198 |
454f9058a9fd9c266782389850d6142a0d04ce9d8042bc069ccd8d90d60be6d5 |
32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964 |
3cb4c0f6430f5216818c3438a18c96e7dcf5080129c9eea3f50735811c3e85eb |
9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf |
681f180735ec833997bea4eb26c58f9c2e39980cd0a351e0b5cd99c502b33ae8 |
917f2b461c860f2ee8aed1147094b9273931bb9ee8040d609a485ec150dc3ec0 |
9f40b69060a52731107baec84a0c0f8a1bfc1a62e8471b9cd69509aade9cb7f1 |
d4cb20dba15d88c38c35be69fe04538b4f9bb0a12edb51ff23c0171b584edf08 |
f9805be70bc5c750e01a82742a66e6ffa9ade0ba2f80a97cadbb8fcaeb60dda7 |
4b891c6c3520d1d81e083f72d7ee9c92870ac6633f1f8419b2f50b4f90681ed6 |
78732997a6c9d975b97da85fc511533d44083a9f9da60dae8393274a59b7bfce |
e98c033e303e64af465b7d41d779a3780708c97822a6ebb7cf6ff3db64bc3416 |
2a50a42d3c44e6e3890a53228cb84f6fdb17e38b31422c68b8634a06d36cc324 |
104032d8993555a84679746069ad1f8c1365c4a27eaeec732fda76aa62da005a |
96a3909ca8917c14a7bd36839dd5abf5c9df9f69b314158e0110365113acf4bb |
356799503f195db260e08a81d42a431b4ebd47cef94eddc96f24a0fd3e49d716 |
15c9373bc7a1cc990d6caa0f3262f6c4adeff93337f642f752b64947ae50cec9 |
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8 |
45dcbfbb139c81af47b6953482c2d146f5192054c29a2343019e6f1d30912ff4 |
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2 |
505bc570566804139166c0f12ea773d1c459682cc13cfca823b2ddfbd48cd2e2 |
00e6061a54e469f6c957eda96a0267efded5f8a6a8d4006ea74ded74df5eb703 |
32b815ce14e6606e53b1ddaf39900c91f126e1d9ce9c5cab2fe825d6b2fa74d9 |
f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4 |
872ee36c064f5d9e7df3e5495c7de6aba4b26856556ba2ac124cdbb02693aa02 |
52661e5c4f8503541a5f361cfa8e4518f852907365e23fdfcc8472fea67df12b |
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c |
8113218903975b81b22049796f201e06638595d2f6fadd82da06817bfbce85d7 |
281481eb8f1579206e55232754f47587a61bbe1460fc1f3b06157f31d214a290 |
c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30 |
89c65668def919cdf677df2774c5646540fee498031f7ecd5c7a6be7b62e9953 |
SmokeLoader File IOCs
SHA2 |
bab3c87cac6db1700f0a0babaa31f5cd544961d1b9ec03fd8bcdeff837fc9755 |
ea6adefdd2be00d0c7072a9abe188ba9b0c9a75fa57f13a654caeaaf4c3f5fbc |
FortiGuard Labs Guidance
Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.
Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.
Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.
FortiRecon is a SaaS based Digital Risk Prevention Service backed by cybersecurity experts to provide unrivaled threat intelligence on the latest threat actor activity across the dark web, providing a rich understanding of threat actors’ motivations and TTPs. The service can detect evidence of attacks in progress allowing customers to rapidly respond to and shut down active threats.
Best Practices Include Not Paying a Ransom
Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
How Fortinet Can Help
FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).
Additionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.