HC3 alerts healthcare sector to the risks posed by 8Base ransomware group
Following the recent attack on a U.S.-based medical facility last month, the U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note cautioning the healthcare and public health (HPH) sector on the potential threat of the 8Base ransomware gang. The group has been active since March 2022, but their activity has significantly increased in 2023, with a focus on indiscriminate targeting across multiple sectors in the U.S.
The agency also identified that the surge in operational activity has included the group’s involvement in double extortion tactics as an affiliate of Ransomware-as-a-Service (RaaS) groups, primarily targeting small- to medium-sized companies. It also detailed similarities between 8Base and other ransomware gangs, though the group’s identity, methods, and motivations remain largely unknown.
Also known as EightBase and 8BaseRansomware, “8Base is not a ransomware operation, but a data-extortion cybercrime operation. They quickly become a notorious actor on the cyber threat landscape due to the significant number of victims claimed on their data leak site,” the HC3 said in its Wednesday analyst note. “While operating largely under the radar for the past year, 8Base resurfaced and was attributed to a massive spike in activity in May and June 2023. Notably, 8Base, alongside Cl0p and LockBit, were responsible for 48% of all recorded cyberattacks in July 2023 alone.”
It added that on their leak site, the ransomware gang describes themselves as ‘…honest and simple pentesters. We offer companies the most loyal conditions for the return of their data.’ They claim to only target companies that have neglected the privacy and importance of the data of their employees and customers. Despite their aggressive portfolio of victims, the origins of the group and the identities of the operators remain a mystery.
HC3 noted that cybersecurity researchers state that the speed and efficiency of the group’s current operations do not indicate the start of a new group, but rather signify the ‘continuation of a well-established, mature organization.’
According to the group’s attacks, 8Base mostly targets SMB (small and medium business) companies based in the U.S., Brazil, and the United Kingdom. Other affected countries include Australia, Germany, Canada, and China, amongst others. Notably, no ex-Soviet or CIS countries have been targeted. While no known correlation to Russia or other Russian-speaking RaaS groups or affiliates exists, this geographic exclusionary pattern is a hallmark for many Russian-speaking threat actors.
The HC3 added that companies operating in the fields of manufacturing, construction, finance and insurance, and healthcare industries also seem to be affected to a great extent.
“The leak site associated with this ransomware group contains posts that can be traced back to March 2022, indicating that the group has potentially been active for at least a year without publicly disclosing its victims,” the HC3 note identified. “It is worth noting that the group’s Telegram channel was only created in May 2023, suggesting that they may have recently started to publicly disclose their victims. Since their first known activity back in March 2022, the group remained relatively quiet, with few notable attacks. However, in June 2023, the ransomware operation saw a sharp increase in activity, targeting many companies in various industries, including the HPH sector.”
Some aspects of 8Base’s current operations resemble previous ransomware attacks, specifically incidents about the threat actors RansomHouse and Phobos, HC3 identified. “Like 8Base, it is unknown whether RansomHouse is a ransomware group or a data-extortion cybercrime operation. This enigmatic and alleged group is known for buying already-leaked data, partnering with data leak sites, and extorting companies for money.”
The note added that based on 8Base’s leak site and public accounts (including a Telegram and a non-defunct Twitter handle), along with the group’s communications, cybersecurity researchers posit that the group’s syntax is like that of RansomHouse.
“The first similarity was identified by cybersecurity researchers during a ransom note comparison project utilizing Natural Language Processing model Doc2Vec,” HC3 disclosed. “Doc2Vec is an unsupervised machine learning algorithm that converts documents to vectors and can be used to identify similarities in documents. During this analysis, the ransom notes of 8Base had a 99% match with the RansomHouse ransom note. Interestingly, a second ransom note of 8Base also matched that of the threat group, Phobos.”
The second similarity pertained to both group’s respective leak sites. The verbiage is copied word for word from RansomHouse’s welcome page to 8Base’s welcome page, the agency identified. “This was the case for their Terms of Service and FAQ pages as well. Despite the similarity between the two, it is unknown whether 8Base is an offshoot of RansomHouse or merely a copycat.”
“When searching for a sample of ransomware used by 8Base, a Phobos sample using a ‘[dot]8base’ file extension on encrypted files was recovered by cybersecurity researchers,” according to the HC3 analyst note. “Comparison of Phobos to the 8Base sample revealed that 8Base was using Phobos ransomware version 2.9.1 with SmokeLoader for initial obfuscation on ingress, unpacking, and loading of the ransomware.”
The HC3 said that 8Base ransomware payloads will enumerate available local drives, encrypting standard data file extensions rapidly and efficiently using AES256 in CBC mode. “Any attached share or drive volume will be subject to the encryption process. Once encrypted, files will have the .8base extension appended to them, at times accompanied by the victim ID and attacker email address,” it added.
The agency said that detecting 8Base ransomware requires a combination of technical and operational measures designed to identify and flag suspicious activity on the network. Organizations must use anti-malware software or other security tools capable of detecting and blocking known ransomware variants, monitor network traffic and look for indicators of compromise, and conduct regular security audits and assessments to identify network and system vulnerabilities. They must also educate and train employees on cybersecurity best practices, and implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore it in case of an attack.
HC3 assesses that 8Base may be new to the cyber threat landscape, but in its short existence, it has proven to be a formidable adversary. “Any disruption to an organization’s operations can lead to severe consequences, especially to the HPH sector. Whether it is affiliated to or an off-shoot of other threat actors, 8Base’s focus on data exfiltration instead of file encryption highlights the need to prioritize cyber security best practices and prevent unauthorized access to an organization’s systems and networks,” it added.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Department of Health and Human Services (HHS) introduced last week a specialized cybersecurity healthcare toolkit that includes resources devised for the sector. The toolkit comes as the two agencies co-hosted a roundtable discussion on the cybersecurity challenges that the HPH sector system faces, and how government and industry can work together to close the gaps in resources and cyber capabilities.
Last month, the HC3 published an analyst note covering NoEscape ransomware, a relatively new hacker and ransomware group to the cybercriminal community. The note provided an overview of the group, possible connections to the Avaddon threat group, an analysis of NoEscape’s ransomware attacks, its target industries and victim countries, sample MITRE ATT&CK techniques, and recommended defense and mitigations against the ransomware.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
