8Base operation ramps up activity with new Phobos ransomware

Increasingly prevalent attacks have been conducted by the 8Base ransomware operation as it leverages a new Phobos ransomware variant, according to The Hacker News. Intrusions commenced with the utilization of the SmokeLoader backdoor trojan to facilitate the distribution of the Phobos variant, which not only seeks persistence and ends processes that may retain target files, but also deactivates system recovery and enables backup and shadow copy deletion, a pair of reports from Cisco Talos showed. Aside from hastening the encryption process by applying full encryption only to files smaller than 1.5 MB, Phobos also features a configuration enabling evasion of User Account Control and victim infection reporting to an external URL, as well as a hard-coded RSA key. Researchers have suspected Phobos to be controlled by a central authority due to the persistent updates found in various samples' extension block lists. "This may support the idea that there is a central authority behind the builder who keeps track of who used Phobos in the past. The intent could be to prevent Phobos affiliates from interfering with one another's operations," said researcher Guilherme Venere.