{
	"id": "9e0f0c80-59cd-4c96-9af9-000d244f7861",
	"created_at": "2026-04-06T00:22:12.62991Z",
	"updated_at": "2026-04-10T13:12:41.076116Z",
	"deleted_at": null,
	"sha1_hash": "24466c628112388bae7d88aa147cc62413a7bba9",
	"title": "8Base ransomware stays unseen for a year",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57835,
	"plain_text": "8Base ransomware stays unseen for a year\r\nArchived: 2026-04-05 18:40:23 UTC\r\nSummary\r\nComes to victims via SmokeLoader malware\r\nSample is a PE32 file, written in C\\C++\r\nModified version of Phobos ransomware\r\nEncrypts users' files with AES-256-CBC cipher\r\nWrites IV and encrypted AES key to the end of encrypted files\r\nData leak site shares similarities with the RansomHouse site\r\nIntroduction\r\n8Base ransomware was first spotted in June 2023, with a massive number of targeted victims. It was later\r\ndiscovered that 8Base originated in March 2022 with the launch of an associated data leak site. 8Base also has a\r\nTwitter account, which was created in 2014. In the account’s pinned post, the threat actors announced the\r\npublication of leaked data from the past year's operation, indicating that in addition to encrypting user files, the\r\ngroup has also exfiltrated data to its own servers.\r\nTo deliver 8Base ransomware to the victims' machines, threat actors used SmokeLoader, a botnet that is very\r\npopular for ransomware attacks. In addition to malware downloading capabilities, SmokeLoader also has a\r\nbackdoor function that allows threat actors to exfiltrate victims' data.\r\nTechnical details\r\nOverview\r\nThe 8Base ransomware sample is a PE32 file, written in C\\C++. The compilation timestamp ‘2022-06-23’\r\nmatches the start of gang operations. As was mentioned before, its activity was spotted only in June 2023, so this\r\nsample remained unseen until this moment.\r\nExecution\r\nAt the start of execution, 8Base decrypts some executable code, loads it to the ‘eax’ register, and calls it.\r\nWhile the sample file doesn't have a lot of imports, during execution, it loads separated parts of import names and\r\nsaves them to local variables for further use.\r\nHere are some imports used to work with files, loaded during execution:\r\nkernel32_FindClose\r\nkernel32_FindNextFileW\r\nhttps://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/\r\nPage 1 of 4\n\nkernel32_SystemTimeToFileTime\r\nkernel32_FindFirstFileW\r\nkernel32_MoveFileW\r\nkernel32_GetFileSizeEx\r\nkernel32_SetFilePointerEx\r\nkernel32_SetEndOfFile\r\nkernel32_SetFilePointer\r\nkernel32_GetLogicalDrives\r\nkernel32_CopyFileW\r\nkernel32_GetFileAttributesW\r\nkernel32_ReadFile\r\nkernel32_WriteFile\r\n8Base then loads the mutex name and checks if it already exists. If so, it will terminate execution; if not, it creates\r\na mutex and a new process of itself with the ‘CreateProcessW’ function.\r\nBefore encrypting files, 8Base takes some preparatory steps. First, it copies itself to three different folders on the\r\nsystem:\r\nC:\\Users\\Flare\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\r\nC:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\mtx777.exe\r\nC:\\Users\\Flare\\AppData\\Local\\mtx777.exe\r\nNext, it creates new Registry keys to enable itself to auto-start:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\mtx777\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\mtx777\r\nIt modifies some keys, responsible for internet policy:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass 1\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName 1\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet 1\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect 0\r\n8Base then uses the ‘Wow64DisableWow64FsRedirection’ function to disable file system redirection.\r\nIt executes some commands to delete shadow copies, backup catalogs, change BootStatusPolicy and disable\r\nRecovery Mode.\r\nvssadmin  delete shadows /all /quiet\r\nwmic shadowcopy delete\r\nbcdedit  /set {default} bootstatuspolicy ignoreallfailures\r\nbcdedit  /set {default} recoveryenabled no\r\nwbadmin  delete catalog -quiet\r\nhttps://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/\r\nPage 2 of 4\n\nIt also executes the following commands to disable the firewall:\r\nnetsh  advfirewall set currentprofile state off\r\nnetsh  firewall set opmode mode=disable\r\nFile encryption\r\n8Base begins searching for available drives on the system with ‘GetLogicalDrives’ and obtains information about\r\nthem.\r\nThen it starts creating encryption threads:\r\nTo search files on the drive, 8Base uses the ‘FindFirstFileW’ and ‘FindNextFileW’ functions. During encryption,\r\nit skips the ‘C:\\Windows’ folder, files with its own extension, and ransom note files. Other found files are given to\r\nthe encryption thread.\r\nThe encryption thread opens the file, gets its attributes, and reads its context.\r\nBefore starting encryption, 8Base creates a new file with a new extension:\r\n\u003cOriginal file name and extension\u003e.id[\u003cUnique victim ID\u003e].[\u003cThreat actors email\u003e].8base\r\nNext, it transfers data to the encryption function, which uses the AES-256 algorithm in CBC mode. The IV keys\r\nare generated randomly during execution and will later be written to the encrypted file. To encrypt the AES key, it\r\nuses the RSA algorithm, making this encryption pretty strong. The encryption algorithms are hardcoded and don't\r\nuse any crypto imports.\r\nAfter encrypted data is written, 8Base takes one further step — it encrypts the AES key and writes it to the end of\r\nthe file with the IV key.\r\nWith the encryption process completed, we can analyze the file structure.\r\nThe first written data in the file is encrypted data. Next, there is a block of data, which is typical for Phobos family\r\nransomware. First, there are 20 bytes of ‘00’ (red line), which are used as a separator between encrypted data and\r\nthis block. Then there are 16 bytes of IV key, which is different for each encrypted file (green line). Finally, the\r\nlast block (yellow lines) is an encrypted AES key, which is similar for all files, encrypted in one session.\r\nRansom note\r\nThe ransom note files ‘info.hta’ and ‘info.txt’ are dropped after the completed encryption process in ‘C:\\’ and\r\n‘C:\\User\\User\\Desktop.’\r\nData leak site\r\nWhile the ransom notes don’t have a link to the data leak site, the threat actor’s Twitter account does:\r\nhttp://basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion/\r\nhttps://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/\r\nPage 3 of 4\n\nThis site contains the main page with the most recent victims of 8Base ransomware, a page for contacting the\r\nthreat actors, a FAQ, and a “Rules” page.\r\nThe data leak site shares a lot of similarities to the RansomHouse group site, but it is still not clear whether these\r\ntwo groups are connected to each other or whether the 8Base threat actors have simply borrowed their site design.\r\nConclusion\r\n8Base ransomware successfully stayed unseen for almost a year before it was spotted with a large spike of\r\ntargeted victims. On their Twitter account, the threat actors actively publish news, including info about recently\r\nbreached victims.\r\nThe sample that was analyzed is a customized version of the Phobos ransomware, which encrypts users' files with\r\nAES-256-CBC algorithm, and utilizes SmokeLoader to bring malware to targeted systems.\r\nThe most interesting question here is about a potential connection between 8Base and another ransomware group\r\n(RansomHouse), as their data leak sites share a lot of similarities.\r\nDetected by Acronis\r\nIoCs\r\nFiles\r\nmtx777.exe\r\n518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c\r\nNetwork indicators\r\nhttp://basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion/\r\nData leak site\r\nhttps://twitter.com/8BASEHOME\r\nThreat actor Twitter account\r\nSource: https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/\r\nhttps://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/"
	],
	"report_names": [
		"8base-ransomware-stays-unseen-for-a-year"
	],
	"threat_actors": [
		{
			"id": "921cea27-4410-42e4-8c11-7d40ba313225",
			"created_at": "2023-01-06T13:46:39.375789Z",
			"updated_at": "2026-04-10T02:00:03.307063Z",
			"deleted_at": null,
			"main_name": "RansomHouse",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHouse",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434932,
	"ts_updated_at": 1775826761,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24466c628112388bae7d88aa147cc62413a7bba9.pdf",
		"text": "https://archive.orkl.eu/24466c628112388bae7d88aa147cc62413a7bba9.txt",
		"img": "https://archive.orkl.eu/24466c628112388bae7d88aa147cc62413a7bba9.jpg"
	}
}