FortiGuard Labs highlights 8base, a Windows-targeted ransomware variant likely based on Phobos, delivered via SmokeLoader and featuring data exfiltration and high ransom demands. The write-up covers infection vectors, victimology, encryption behavior, variant updates, and Fortinet defenses and guidance. Hashtags: #8base #SmokeLoader #Phobos #Fortinet #FortiGuard #FortiRecon #Tor
Keypoints
- 8base is a Windows-targeted, financially motivated ransomware variant first appearing in May 2023 and likely based on Phobos.
- Infection vector includes SmokeLoader delivering 8base, with specific samples cited as delivery evidence.
- Victimology shows multiple industry verticals affected, with the US leading in victim country distribution.
- After execution, 8base searches for files to encrypt, skips certain system files and folders, and terminates several processes to facilitate encryption.
- The ransomware uses AES for encryption, appends a unique extension containing the victim ID and attacker contact, and performs selective encryption behavior (full vs. partial based on file size).
- A newer C-based variant (Nov 2023) adds a longer ransom note and a different file extension for encrypted files, plus TOR data leak site involvement.
- Data leakage and exfiltration are described via a TOR site and multiple file storage/sharing services, indicating public-facing data theft alongside encryption.
MITRE Techniques
- [T1105] Ingress Tool Transfer – Delivery of the 8base ransomware via SmokeLoader: “FortiGuard Labs has observed SmokeLoader variants delivering the 8base ransomware.”
- [T1486] Data Encrypted for Impact – The ransomware encrypts files (AES) and appends an attacker-specific extension: “The ransomware then uses AES to encrypt any target files discovered and adds a file extension that includes the attacker’s contact email address … .8base.”
- [T1562.001] Impair Defenses – The ransomware kills multiple processes before encrypting files to ensure files can be encrypted: “Killing these processes ensures that any files open in them … will be closed so the ransomware can encrypt them.”
- [T1567.002] Exfiltration to Cloud Storage – Exfiltration of stolen data via TOR and file storage/sharing services: “The stolen information was released through various file storage/sharing services such as Gofile, Pixeldrain, files.dp.ua, AnonFiles, Anonym File, and Mega.”
Indicators of Compromise
- [File Hashes] 8base ransomware file IOCs – 30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971, 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f, and 2 more hashes
- [File Hashes] SmokeLoader file IOCs – bab3c87cac6db1700f0a0babaa31f5cd544961d1b9ec03fd8bcdeff837fc9755, ea6adefdd2be00d0c7072a9abe188ba9b0c9a75fa57f13a654caeaaf4c3f5fbc
Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-8base