We use cookies to improve your experience. Do you accept?

Let’s Talk About Black Basta Ransomware: An In-depth Analysis

Let’s Talk About Black Basta Ransomware: An In-depth Analysis - Featured Image

Research and Analysis Jun 30, 2022

Origin : April 2022

Aliases : Basta News, Black Basta Blog

Targeted Sectors : Real-estate, Insurance, Healthcare, Banking, Manufacturing, Financial Services, Chemicals, Food & Beverage, Metals & Mining, Business Services

Targeted Regions : United States, Canada, Europe, United Kingdom, Australia, and New Zealand

Motive : Data Theft

Infection Vectors : Phishing email, Social Engineering, Torrent Websites, Malicious Ads

Introduction

Black Basta is a new ransomware gang that has risen to prominence after breaching the networks of at least 50 firms across industries, in a matter of few months. So far, ransomware attacks by the group have resulted in multi-million dollar crimes, launching double-extortion attacks around the world. The Black Basta ransomware moves so quickly that it rarely causes symptoms that usually help alert defenders to any potential compromise or infection.

The ransomware group, which first appeared in the public eye in April, is still in its early stages. Even so, by adapting to new malware tools and hacking techniques, it is making rapid progress in the cyber-offensive terrain. The ransomware has already infected companies such as Deustche Windtechnick and the American Dental Association.

Infection Vector and Exploitation Techniques

Cybercriminals primarily spread malware (including ransomware) through phishing and social engineering tactics. The case of Black Basta ransomware is no different either. Its operators typically disguise the malware in various ways to carry out successful exploitation.

  • Infectious files come in a variety of formats, such as archives (ZIP, RAR), executables (.exe,.run), Microsoft Office and PDF documents, JavaScript, and so on. When such a file is opened, the infection process begins.

  • Stealthy and deceptive downloads, untrustworthy download channels. For e.g, unofficial and free file-hosting websites; peer-to-peer sharing networks.

  • Malicious attachments/links in spam emails and messages, online ad scams, cracked software and programs on malicious sites such as Torrent, and fake updates are among the most common distribution methods.

Operational Details

  • The ransomware hacks into an existing Windows service and uses it to launch the ransomware decryptor executable. The ransomware then changes the wallpaper to display a message: “Your network is encrypted by the Black Basta group.”

  • Black Basta ransomware utilizes the ChaCha20 algorithm to encrypt files. Each folder on the encrypted device contains a readme.txt file that has information about the attack and contains a link and a unique ID to log in to the negotiation chat session with the threat actors.

The Double Extortion Scheme

  • Black Basta, like other enterprise-focused ransomware operations, employs a double extortion scheme that involves stealing confidential data before encrypting it in order to threaten victims with the public release of the stolen data.

  • The threat actors threaten to leak the stolen data if payment is not made within the seven days of the attack, and promise to secure data after a ransom is paid.

  • The extortion phase of the gang's attacks is carried out on its Tor site, Basta News, which contains a list of all the victims who have not paid the ransom.

Attack Topography

The Black Basta Ransomware group targets a wide range of industries, although real estate, manufacturing, and financial services are the most common. In addition to these industries, the gang has already disrupted insurance, healthcare, finance, chemicals, food and beverage, metals and mining, and business services.

According to sources, the Ransomware group has been on the lookout for businesses in the United States, Canada, Europe, the United Kingdom, Australia, and New Zealand that use English as their primary communication language.

Attack on VMware ESXi Servers

The Black Basta ransomware was initially targeting only Windows-based systems, but the most recent ransomware binary now targets VMware virtual machines (VMs). On ESXi-based systems and servers, the latest variant appeared to encrypt VMs stored in the volumes folder (/vmfs/volumes).

The resources on the servers, generally, are much greater than on a typical system. Therefore, Black Basta does not encrypt the entire file, but instead only partially encrypts it. Black Basta accomplishes this by encrypting only 64-byte blocks of a file, separated by 128-byte blocks. Using these types of mechanisms allows the ransomware to encrypt files much more quickly.

Partnership and Rebranding Effort

Several emerging threat groups no longer appear distinct threats. Many of them work together to form new syndicates to carry out successful attacks, making it increasingly difficult for cybersecurity experts to mitigate the threat at an early stage. The Black Basta ransomware group also seems to be treading a similar path as noticed by several researchers.

QBot : The Black Basta ransomware group has joined hands with QBot to gain initial access to corporate environments. QBot is known for stealing Windows domain and bank credentials and dropping additional payloads. During a recent incident response, the Black Basta gang was observed using Qbot to spread laterally throughout the network, according to researchers. The threat actor's primary method for maintaining their presence on the network was Qbot. Once set up, QBot infects network shares and drives, brute-force AD accounts, or uses the SMB to create copies of itself or spread via default admin shares using current user credentials.

Conti : After closely monitoring Black Basta ransomware, a few researchers have asserted, with moderate confidence, that it could be a rebrand of Conti. Black Basta was found to share multiple similarities with the Conti group - from leak sites and payment sites to victim recovery portals. The temporary closure of Conti, followed by the near-immediate emergence of Black Basta, which uses similar tactics, further fuels the speculation of the two groups being closely related or run by the same members.

Moreover, Conti Ransomware activities have increased off-late, despite researchers recently exposing cybercriminals' operations. Conti, on the other hand, continues to deny that they rebranded as Black Basta and labeled the group "kids."

Prevention and Mitigation

With the speed with which Black Basta Ransomware is spreading, it is highly recommended to fend off the threat at the beginning. As far as the attack goes, since phishing and social engineering as its primary methods of propagation, the user should avoid opening attachments and links in suspicious or irrelevant emails and messages, as it could lead to a system infection.

Aggregation and correlation of threat intelligence feed is the need of the hour. Do away with legacy approaches around it and adopt modern threat alerting solutions. With this, you get to aggregate custom threat intel feeds with early warning advisories on malware and vulnerabilities under exploitation, which get converted to actionable alerts for, security analysts, customers, vendors, and peers. Furthermore, security teams must also foster automation of their SecOps workflows and operationalize threat intelligence for automated detection, analysis, and response to such threats.

Conclusion

The Black Basta group's impact in such a short period of time poses a significant threat to global enterprise networks. The 'possible and likely' collaboration of Black Basta ransomware with Qbot and Conti is clearly worrisome for enterprises and organizations looking to protect their data from unauthorized attacks. While law enforcement agencies and security researchers are doing everything they can to curb ransomware activities, organizations are advised to continue following best practices to secure themselves and their businesses.

Indicators of Compromise (IOCs)

Encrypted Files Extension

.basta

Filenames

Dlaksjdoiwq.jpg

fkdjsadasd.ico

Readme.txt

No_name_software

PsExec.exe

log.dat

Registry Keys

HKCU\Control Panel\Desktop\Wallpaper = %Temp%\dlaksjdoiwq.jpg

HKEY_CLASSES_ROOT\.basta\DefaultIcon = %Temp%\fkdjsadasd.ico

URLs

https[:]//aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd[.]onion:80/

SHA256

17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90

5b6c3d277711d9f847be59b16fd08390fc07d3b27c7c6804e2170f456e9f1173

7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a

Ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e

B3661c6fecf46e6a7b96b3debc7efa65633bfde2f156392ff6506736457361be

5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa

Ef1382770f820e4b2e65981bb7b3a62d5f93e3b87763f83012ef7f7cb1bc9469

A54fef5fe2af58f5bd75c3af44f1fba22b721f34406c5963b19c5376ab278cd1

1d040540c3c2ed8f73e04c578e7fb96d0b47d858bbb67e9b39ec2f4674b04250

2967e1d97d32605fc5ace49a10828800fbbefcc1e010f6004a9c88ef3ecdad88

F088e6944b2632bb7c93fa3c7ba1707914c05c00f9491e033f78a709d65d7cff

eb07a24f63d7f56fb13e34dd60e45a4c8522c32892c8be7dca7d3f742fa86b0a

IP Address

23.106.160[.]188

SHA1

Eb43350337138f2a77593c79cee1439217d02957

920fe42b1bd69804080f904f0426ed784a8ebbc2

bd0bf9c987288ca434221d7d81c54a47e913600a

MD5

3f400f30415941348af21d515a2fc6a3

a70f03beb3A8246595eab83935227914

Related Threat Briefings