Phobos Ransomware

The threat actors behind the 8Base ransomware are leveraging a variant of the Phobos ransomware to conduct their financially motivated attacks.

The findings come from Cisco Talos, which has recorded an increase in activity carried out by cybercriminals.

"Most of the group's Phobos variants are distributed by SmokeLoader, a backdoor trojan," security researcher Guilherme Venere said in an exhaustive two-part analysis published Friday.

"This commodity loader typically drops or downloads additional payloads when deployed. In 8Base campaigns, however, it has the ransomware component embedded in its encrypted payloads, which is then decrypted and loaded into the SmokeLoader process' memory."

8Base came into sharp focus in mid-2023, when a similar spike in activity was observed by the cybersecurity community. It's said to be active at least since March 2022.

A previous analysis from VMware Carbon Black in June 2023 identified parallels between 8Base and RansomHouse, in addition to discovering a Phobos ransomware sample that was found using the ".8base" file extension for encrypted files.

This raised the likelihood that 8Base is either a successor to Phobos or that the threat actors behind the operation are merely using already existing ransomware strains to conduct their attacks, akin to the Vice Society ransomware group.


The latest findings from Cisco Talos show that SmokeLoader is used as a launchpad to execute the Phobos payload, which then carries out steps to establish persistence, terminate processes that may keep the target files open, disable system recovery, and delete backups as well as shadow copies.

Another notable characteristic is the full encryption of files that are below 1.5 MB and partial encryption of files above the threshold to speed up the encryption process.

Furthermore, the artifact incorporates a configuration with over 70 options that's encrypted using a hard-coded key. The configuration unlocks additional features such as User Account Control (UAC) bypass and reporting of a victim infection to an external URL.

There is also a hard-coded RSA key used to protect the per-file AES key used in the encryption, which Talos said could help enable decryption of files locked by the ransomware.

"Once each file is encrypted, the key used in the encryption along with additional metadata is then encrypted using RSA-1024 with a hard-coded public key, and saved to the end of the file," Venere elaborated.

"It implies, however, that once the private RSA key is known, any file encrypted by any Phobos variant since 2019 can reliably be decrypted."

Phobos Ransomware

Phobos, which first emerged in 2019, is an evolution of the Dharma (aka Crysis) ransomware, with the ransomware predominantly manifesting as the variants Eking, Eight, Elbie, Devos, and Faust, based on the volume of artifacts unearthed on VirusTotal.

"The samples all contained the same source code and were configured to avoid encrypting files that other Phobos affiliated already locked, but the configuration changed slightly depending on the variant being deployed," Venere said. "This is based on a file extension block list in the ransomware's configuration settings."

Cisco Talos assesses that Phobos is closely managed by a central authority, while being sold as a ransomware-as-a-service (RaaS) to other affiliates based on the same RSA public key, the variations in the contact emails, and regular updates to the ransomware's extension block lists.

"The extension blocklists appear to tell a story of which groups used that same base sample over time," Venere said.

"The extension block lists found in the many Phobos samples [...] are continually updated with new files that have been locked in previous Phobos campaigns. This may support the idea that there is a central authority behind the builder who keeps track of who used Phobos in the past. The intent could be to prevent Phobos affiliates from interfering with one another's operations."

The development comes as FalconFeeds disclosed that a threat actor is advertising a sophisticated ransomware product called UBUD that's developed in C and features "strong anti-detection measures against virtual machines and debugging tools."


It also follows a formal complaint filed by the BlackCat ransomware group with the U.S. Securities and Exchange Commission (SEC), alleging that one of its victims, MeridianLink, failed to comply with new disclosure regulations that require impacted companies to report the incident within four business days, reported.

The financial software company has since confirmed it was targeted in a cyber attack on November 10, but noted it found no evidence of unauthorized access to its systems.

While the SEC disclosure rules don't take effect until next month on December 18, the unusual pressure tactic is a sign that threat actors are closely watching the space and are willing to bend government regulations to their advantage and compel victims to pay up.

That said, it's worth noting that the enforcement exclusively applies in situations where the companies have identified that the attacks have had a "material" impact on their bottom lines.

Another prolific ransomware gang LockBit, in the meanwhile, has instituted new negotiation rules starting October 2023, citing less-than-expected settlements and larger discounts offered to victims due to the "different levels of experience of affiliates."

"Establish a minimum ransom request depending on the company's yearly revenue, for example at 3%, and prohibit discounts of more than 50%," the LockBit operators said, according to a detailed report from Analyst1.

"Thus, if the company's revenue is $100 million USD, the initial ransom request should start from $3 million USD with the final payout must be no less than $1.5 million USD."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.