8base is one of the most active ransomware groups. This summer she focused on small and medium-sized companies. Due to low security budgets and more cybersecurity deficiencies, SMEs often quickly fall victim to attackers.
8base first appeared on the scene in March 2022 and since June 2023 the group has been more active than ever before. Accordingly, it is now important to act and protect yourself from an attack by criminals, says Anish Bogati, Logpoint Security Research Engineer.
An explosive mixture
In general, SMBs are more likely to struggle with low security budgets and cybersecurity deficiencies, which is a dangerous cocktail when a ransomware group like 8base approaches them. Small and medium-sized businesses in particular must therefore familiarize themselves with the threat posed by 8base and, more importantly, strengthen their security measures to protect against 8base. Understanding the attacker is the key to developing better defense strategies.
Logpoint's research uncovered the 8base infection chain through malware analysis. 8base uses multiple malware families to achieve their goals, including SmokeLoader and SystemBC, in addition to the Phobos Ransomware payload. The ransomware group primarily gains access via phishing emails and uses the Windows Command Shell and Power Shell to execute the payload. The attackers use several techniques to stay in the system, bypass defenses and achieve their goals.
The necessary prevention
It is essential that security teams are able to detect 8base activities in their own system in a timely manner. This also includes suspicious child processes started by Microsoft Office products, such as executing files using WScript or CScript or creating scheduled tasks. Knowing the relevant Indicators of Compromise (IoC) and the attackers' Tactics, Techniques and Procedures (TTPs) helps SMEs proactively detect and thwart or at least mitigate suspicious activity related to 8base.
The key tools for a robust cybersecurity strategy in this case are proper logging, asset visibility, and strict monitoring. These components help keep track of the network and also help detect anomalies such as files being placed in publicly writable folders, changes to registry values, and suspicious scheduled tasks that may indicate a security threat like 8base. However, anyone who fails to proactively prepare the necessary security components runs the risk of becoming another victim in the ever-growing list of ransomware incidents.
More at Logpoint.com
About Logpoint
Logpoint is a global leader in innovative and intuitive security platforms that enable security teams to detect, investigate and respond to threats faster with a consolidated suite of technologies.