By Anish Bogati, below, Security Research Engineer, Logpoint
SMEs are increasingly a target for ransomware operators, with one in four (26%) targeted in the UK last year and almost half (47%) then paying to regain access to their data, according to research from Avast. In the current climate, with budgets stretched and cybersecure personnel hard to come by, they are even more at risk, so the emergence of a new and rapidly growing ransomware operator focused on SMEs should ring alarm bells.
8base emerged in March 2022 and has become a persistent and formidable adversary with activity levels increasing significantly since June. It’s now in the top five most active ransomware groups, with the UK the third most active region during the three months from June-August. So far, our analysis found it’s predominantly targeting SMEs offering business services (53%), followed by finance (16%), manufacturing (14%) and IT (7.2%).
Phishing emails are the primary method of obtaining access, although attacks frequently use spear phishing too which sees them target a specific individual. 8base uses multiple malware families, including SmokeLoader and SystemBC, but has also been found to use a customised version of the Phobos ransomware variant. It also resorts to using the services of Initial Access Brokers (IABs), who specialise in selling illegal network access.
How 8base infects the business
The malware uses Windows Command Shell and Power Shell to run the ransomware payload, before querying registry keys, modifying registry values and initiating discovery. The modifications mean that every time the system is restarted the malware prevents normal operations, allowing the attacker to achieve what’s known as persistence. Modification of the keys that control access to the internet can also allow the malware to bypass security measures and connect to malicious websites or servers.
The discovery phase sees the attackers use the registry keys to discover system names and default settings and, in common with other ransomware attacks, 8base also makes use of the Windows Native API function. This allows it to crawl over other network resources accessible from the user’s device to expand the footprint of the attack.
To evade defences, 8base uses a number of techniques, from process injection which sees the malware code hide in a legitimate program, to pretending to be a bona fide binary process. It also terminates the very security processes that have been put in place to detect and stop it. This includes, for example, disabling Windows Firewall, effectively creating a cloak of invisibility that allows the attack to progress unhindered.
When it comes to the data, 8base encrypts the files and inhibits system recovery. It deletes other copies and any backups and disables auto recovery services, effectively preventing any restoration.
Spotting the signs of an attack
It’s easy to see how devastating such an attack would be for the victim organisation and why many struggle to recover. But it’s crucial to understand the infection chain in order to detect and mitigate such attacks. The spear phishing attacks employed by 8base, for instance, will typically use Microsoft Office products which trigger suspicious child processes, such as spawning shells or other binaries to execute attached command and code, which can be detected.
Proper logging, visibility of assets, and monitoring of systems for combatting ransomware. Monitoring and auditing the network regularly makes it possible to keep track of user activity, network traffic and identify any unusual behaviour, so logs must be collected from every system. Establishing a log retention policy can then ensure log data is available for analysis in the event of an incident. Log data should be retained for at least six months but this may need to be longer, depending on regulatory or compliance requirements.
One of the principal tools used to collate and analyse logs and defend against such ransomware attacks is a Security Incident and Event Management (SIEM) platform. These are no longer the preserve of large corporates and are now well within the reach of SMEs. Additional solutions can be integrated into the SIEM to provide enhanced threat hunting capabilities. These include Security Orchestration Automation and Response (SOAR) for automated detection and response, User Entity Behaviour Analytics (UEBA) capable of applying machine learning and AI to qualify threats, and Endpoint Detection and Response (EDR) for monitoring endpoints such as user devices.
If the SIEM also integrates with SOAR, the business is able to use pre-configured playbooks for investigation and response. Playbooks are crafted to respond to specific threats. In the case of 8base, multiple playbooks would need to be deployed, from phishing to ransomware to one to specifically delete suspicious registry values and another to detect communication with malicious servers (referred to as command and control or C2 servers).
Of course, there are other steps that the business can take to help limit the potential for a ransomware attack. Examples of effective cybersecurity hygiene include providing regular phishing training to employees on how to recognise and respond to social engineering attacks such as phishing, smishing, pretexting, and baiting. A formal process should also be put in place for employees to report if they have fallen victim to such an attack.
Access controls should include strong password policies and the use of multi-factor authentication (MFA) for all user accounts, especially for remote access or cloud-based services. If it is not feasible to implement MFA for all user accounts, prioritise those accounts that can be accessed from the internet. Consider also setting up MFA for high risk, privileged activity. And implement the principle of ‘least privilege’ which restricts user access and permissions to only what is necessary for them to perform their job. Privileged accounts should also be audited and this can provide valuable insights into how these accounts are being used, allowing organisations to make informed decisions about access control, resource allocation, and risk management.
Data should also be routinely backed up using the 3-2-1 backup policy. This sees the creation of three copies of important data, two of which are stored in different formats or locations, with another copy kept offsite. It’s also advisable to keep an offline backup that is not accessible from the internet. Likewise, it pays to perform network segmentation to keep important systems and sensitive data apart from the rest of the network. This helps to confine possible breaches and minimise attacker lateral movement.
Seek to prevent points of ingress by regularly updating devices, browsers, and other software applications. Keeping software up to date ensures the latest security patches are installed, which can help prevent potential malware infections and data breaches. Where patching is not available or is not feasible, mitigations provided by vendors should be applied.
Finally, conduct regular incident response tests to help identify gaps in the incident response plan and improve the organisation’s preparedness for a real-world incident. Because ransomware attacks for the SME sector are becoming more commonplace and the best way of defending against them is to be prepared.
8base hasn’t come out of nowhere – it signifies that ransomware operators are capitalising on a weak spot in the market – and its emergence shouldn’t be ignored. The fact that we’re now seeing operators specialise in targeting the sector is a wake-up call to SMEs. One hopes it can also be the catalyst needed to spur them into adopting more stringent controls.