8Base Ransomware Group

How Does The 8Base Ransomware Acts?

Typically, the 8Base malware gains a foothold on target environments via phishing emails or initial access brokers. These are cybercriminals who have gained access to a company’s network via some means — phishing, compromised credentials, vulnerability extortion, etc. — and sell that access to other cybercriminals on the Dark Web.

Once it has infected a computer, 8Base acts as a double extortion ransomware, both encrypting and stealing data. It begins by enumerating all drives connected to the system and identifying data files within them. These files are then encrypted using AES-256 in CBC mode and have the .8base extension attached to them.

The malware also uses various means to evade detection, add persistence, and protect against data recovery. Some techniques include:

• Modifying firewall rules to disable Windows Defender Advanced Firewall.
• Deleting Volume Shadow Copies for encrypted files.
• Disabling Recovery Mode in the Startup Policy.
• Adding persistence in the Windows Registry and Startup Folder.

In addition to encrypting data, the malware will also attempt to steal it from infected machines. Once data encryption and exfiltration are complete, the malware will present a ransom demand to the owner of the infected device.

After the ransom demand is presented, the company may choose to pay the ransom to restore access to its encrypted files. If this isn’t the case, then the double-extortion comes into play, where the 8Base ransomware group will threaten to expose sensitive information that they have stolen from the company’s systems if the organization continues to refuse to pay. This data breach can cause significant reputational damage to the organization and may result in regulatory penalties due to the failure to properly protect customer data.

How to Protect Against 8Base Ransomware

A ransomware attack can be damaging and expensive for an organization. Some best practices for protecting against 8Base and other ransomware attacks include the following:

• Employee Security Training: The 8Base ransomware group is known to use phishing emails as one of its primary infection vectors. Training employees to spot and properly respond to common phishing threats can help reduce the risk that they pose to the business.
• Anti-Ransomware Solutions: Anti-ransomware solutions can use behavioral analysis and signature detection to identify, as well as block likely ransomware infections on a device. For example, ransomware opens and modifies many files during the encryption process, which is an unusual and likely malicious behavior that endpoint security solutions can use as a potential indicator of compromise (IoC).
• Data Backups: 8Base is a double-extortion ransomware variant, meaning that it both encrypts and steals data. Having data backups in place provides the organization with the option to restore encrypted data from backups, rather than paying for the decryption key.
• Zero-Trust Security: 8Base and other ransomware variants need to be able to access high-value data in order to encrypt or steal it. Implementing zero-trust security — based on the principle of least privilege — reduces the likelihood that the malware can gain the access that it needs without detection.
• Strong User Authentication: Ransomware may use weak or compromised passwords to gain access to user accounts, as well as their associated permissions. Implementing multi-factor authentication (MFA) can prevent this method of gaining initial access or privilege elevation within a company’s systems.
• Network Segmentation: Ransomware may need to travel through an organization’s network from its point of initial infection to databases and other high-value targets. Network segmentation makes this more difficult by isolating critical systems from employee workstations and making it easier for the organization to implement and enforce zero-trust access controls.