[Virus/Malware Activity Report: 8Base Ransomware]

Due to a breach believed to be in the form of 8Base ransomware, we would like to
confirm the situation and provide a warning as follows.

8Base ransomware

The ransomware is called 8Base and appears to be changing all files with file name.extension.id[private key].[support@rexsdata.pro].8base.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• Obfuscation of executable files and similarity to the existing Phobos family

  Both the ransom note/txt and the encrypted form are similar to the existing Phobos (compilation language C++) ransomware, but 8Base was created based on .NET (C#). In general, ransomware often uses commercial programs to obfuscate, but 8Base appears to have used its own, unknown method for obfuscation.

  
  [Figure 3 Obfuscated static code]

Infection results

Files with the names info.txt / info.hta are created on the desktop and in the root of each drive. When encryption is performed, the files are saved as <file name.extension.id[private key].[support@rexsdata.pro].8base>. Change them.

[Figure 4 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 5 Block message]

Watch the 8Base blocking video