The 8Base ransomware group, the criminals behind the Phobos malware, continue to advance its tactics and is branching out into selling ransomware-as-a-service, according to a new report Friday from Cisco Talos Intelligence.

In June, SiliconANGLE wrote about the group’s summer exploits from a VMware Inc. report. Phobos-based attacks have been observed since 2018 and it seems it has stepped up their game, gotten more organized and made its ransomware more lethal and sophisticated.

One of its calling cards is a “leak website” that is a wall of shame, listing its more recent victims. This is one tactic to compel payment.

Guilherme Venere, who authored the Talos report, points out a series of Phobos variants that the researchers have tracked, naming Devos, Eking, Eight, Elbie and Faust as the most common ones. The group sends out emails in its initial communication attempts to ensnare victims, using a variety of commercial systems, including ProtonMail, AOL.com, and Tutanota.

These emails contain reply-to addresses that are customized for each victim. “This diversity of providers further supports our assessment that Phobos has a dispersed affiliate base and may be operating as a RaaS,” Venere wrote in the blog post summarizing the research.

One of the likely affiliates is the RansomHouse group. It was behind an alleged theft of 450 gigabytes of data from Advanced Micro Devices Inc. in June 2022.

The initial Phobos-based exploits were designed around weaknesses to Microsoft’s Remote Desktop Protocol, according to a report from Avast.  This protocol is often abused by hackers because it can easily connect to a variety of systems and be used to compromise their activities further.

The Talos researchers found that the typical attack plan was to target a specific part of an enterprise’s infrastructure and deploy the ransomware on a smaller number of higher-value systems. Other malware was deposited on these systems, including process visualization tools, tools to automatically collect credentials and extract passwords, software to unlock database files in use, scanners to locate open network ports and services, and other tools common in the ransomware world.

They’re all aimed at eliminating Windows volume shadow copies and event logs to make detection and recovery more difficult. That shows the level of sophistication now present with Phobos and the power of having a ransomware-as-a-service operation to provide all these criminal services in one neat, tidy package.

One of the more interesting results is that Phobos is careful not to encrypt files that have been touched by other affiliate operations, with frequently updated “do not disturb” lists.

The researchers found that the same public encryption key was used in all of the file decryptions they analyzed, indicating that a single threat actor was behind the entire operation.

This is a massive tool chest and should be a useful warning to systems administrators on the multiple fronts that are required to repel a typical ransomware invasion. This is also one of the more visible reasons why ransomware attacks frequently succeed: They have evolved into handling a variety of frontal assaults across Windows, network and application-related security weaknesses.

Image: Bing Image Creator