November 18, 2023 at 07:00AM
Cisco Talos has discovered that the 8Base ransomware group is using a variant of the Phobos ransomware in its attacks. The malware is distributed through the SmokeLoader backdoor trojan, and the group has been active at least since March 2022. The findings also reveal the methods and characteristics of the ransomware, including its encryption techniques and configuration options. It is believed that Phobos is managed centrally and sold as a ransomware-as-a-service to other affiliates. This comes as another ransomware group, BlackCat, filed a complaint with the SEC against a victim for failing to comply with disclosure regulations.
Key takeaways from the meeting notes:
– The 8Base ransomware group is using a variant of the Phobos ransomware for financially motivated attacks.
– Cisco Talos has observed an increase in activity carried out by cybercriminals using Phobos variants.
– The ransomware is distributed through SmokeLoader, a backdoor trojan, which drops or downloads additional payloads when deployed.
– 8Base has been active since at least March 2022 and has similarities to RansomHouse.
– SmokeLoader is used as a launchpad to execute the Phobos payload, which carries out steps to establish persistence, terminate processes, disable system recovery, and delete backups and shadow copies.
– Files below 1.5 MB are fully encrypted, while files above the threshold are partially encrypted to speed up the process.
– The ransomware incorporates a configuration with over 70 options that are encrypted using a hard-coded key, unlocking additional features such as User Account Control (UAC) bypass and reporting victim infection to an external URL.
– A hard-coded RSA key is used to protect the per-file AES key, which could enable decryption of files locked by the ransomware.
– Phobos is an evolution of the Dharma ransomware and is sold as a ransomware-as-a-service (RaaS) to other affiliates.
– A threat actor is advertising a sophisticated ransomware product called UBUD, which features strong anti-detection measures.
– The BlackCat ransomware group has filed a complaint with the SEC, accusing MeridianLink of failing to comply with new disclosure regulations.
– LockBit ransomware gang has instituted new negotiation rules, setting a minimum ransom request based on the company’s yearly revenue and prohibiting discounts of more than 50%.
Please note that these takeaways are a summary of the meeting notes and may not capture all the details discussed.