In a recent revelation, Cisco Talos has uncovered the utilization of a Phobos ransomware variant by the threat actors orchestrating the 8Base ransomware attacks. This marks a significant development in the tactics employed by these cybercriminals.
SmokeLoader as a Trojan Horse
Security researcher Guilherme Venere, in a two-part analysis, disclosed that the majority of 8Base’s Phobos variants are distributed through SmokeLoader, a notorious backdoor trojan. Unlike conventional methods, 8Base campaigns incorporate the ransomware component directly into encrypted payloads, a departure from the typical SmokeLoader behavior.
Chronicle of 8Base
First thrust into the limelight in mid-2023, 8Base has been active since at least March 2022. Drawing parallels with RansomHouse, a June 2023 analysis by VMware Carbon Black raised questions about whether 8Base is a successor to Phobos or if threat actors are repurposing existing ransomware strains of the Vice Society ransomware group.
SmokeLoader as the Launchpad
Cisco Talos’ latest findings shed light on SmokeLoader’s role as a launchpad for the Phobos payload. This multi-step process involves establishing persistence, terminating processes, disabling system recovery, and deleting backups and shadow copies. Notably, files under 1.5 MB face complete encryption, while larger files undergo partial encryption to expedite the overall process.
Intricacies of the Artifact
The 8Base ransomware artifact boasts a configuration with over 70 options, encrypted using a hard-coded key. This configuration unlocks advanced features such as User Account Control (UAC) bypass and reporting victim infections to an external URL. Additionally, a hard-coded RSA key safeguards the per-file AES key, providing a potential avenue for decryption.
Highlighting a potential vulnerability, Venere pointed out that the hard-coded RSA key, once known, could enable the reliable decryption of files encrypted by any Phobos variant since 2019.
Phobos operates under a central authority while being peddled as a Ransomware-as-a-Service (RaaS) to affiliates using the same RSA public key. Variations in contact emails and consistent updates to the ransomware’s extension block lists characterize this distributed but centrally managed threat.
Insights into Phobos’ Strategy
The extension block lists within various Phobos samples serve as a digital narrative, chronicling the groups that used the same base sample over time. It appears that a central authority behind the builder actively monitors and updates these lists, possibly to prevent interference among Phobos affiliates. This strategic move safeguards the smooth execution of each affiliate’s operations.
UBUD: The Rise of a Sophisticated Ransomware Player
Meanwhile, cybersecurity circles have caught wind of a new player in the ransomware landscape: UBUD. Developed in C, this ransomware boasts advanced anti-detection measures against virtual machines and debugging tools. The emergence of UBUD underscores the continuous evolution of cyber threats, demanding heightened vigilance in the ever-shifting cybersecurity landscape.
Unconventional Tactics in the Face of SEC Disclosure Rules
In an unusual turn of events, the BlackCat ransomware group filed a formal complaint with the U.S. Securities and Exchange Commission (SEC), alleging non-compliance by one of its victims, MeridianLink. The complaint asserts that MeridianLink failed to adhere to new disclosure regulations, which require companies to report incidents within four business days. This pressure tactic, though premature given the impending SEC rules effective from December 18, signals a bold move by threat actors to influence victims and expedite ransom payments.
LockBit’s Strategic Shift: Ransom Negotiation Reforms
Adding another layer to the ransomware saga, the LockBit gang has implemented new negotiation rules since October 2023. Citing suboptimal settlements and varying discounts offered to victims based on affiliates’ experience levels, LockBit now advocates for a minimum ransom request tied to a company’s yearly revenue. This move seeks to standardize ransom demands, setting a precedent that factors in the financial stature of the targeted organizations.