HQ/EMEAFind out how we can help your business
The 8Base ransomware group has recently upgraded its tactics by deploying a new variant of the notorious Phobos ransomware alongside other readily available tools.
Based on reports, the 8Base ransomware activity has recently surged in the past few months, especially between May and June. Moreover, experts believe these campaigns will continue growing since attackers constantly adopt new tactics and tools.
The 8Base group has leveraged various malicious tools to propagate the Phobos ransomware.
Studies show that the sophisticated distribution process employed by the 8Base group involves using the SmokeLoader trojan to spread the new Phobos ransomware variant.
This malware employs a complex three-stage payload decryption process, hiding its execution flow with numerous random API calls in the initial stage. The subsequent steps include a shellcode stored in allocated memory, showing the binary during the third stage. This binary is a copy of the Windows Portable Executable (PE) data that yields the final payload in its original form.
Researchers have identified key features that set the new Phobos ransomware variant apart from its predecessors. Unlike versions released after 2019, this variant incorporates the AEC-256 algorithm and random symmetric keys for encrypting files on victims’ systems.
In addition, it contains functionalities that allow hackers to establish persistence, run rapid encryption, and remove backup and shadow copies on the infected device. The malware also has advanced features such as .NET profiler DLL loading vulnerability, API calls, and Cyrillic language that could enhance its ability to bypass security detections.
On the other hand, a separate investigation claimed that Phobos appears to be closely managed by a central authority that controls its private encryption key. Currently, the malware developers sell the variant to other affiliates as a Ransomware-as-a-Service (RaaS).
As the 8Base group continues to adopt the new Phobos variants, organisations should employ the latest Indicators of Compromise (IOCs) associated with the ransomware to mitigate its effects.
In conclusion, the evolution of ransomware threats, shown by the 8Base group’s deployment of an advanced Phobos variant, indicates that organisations should also invest in a more potent cybersecurity measure.
