The Black Basta ransomware is a new strain of ransomware discovered in April of 2022. Although active for just two months, the group already rose to prominence claiming attribution of nearly 50 victims as of the publication of this report.
Even though it first emerged in April, Black Basta operations started back in February of 2022, according to some evidence of compilation time and pivoting of the associated files. Back then, the ransomware had no name (to be precise, “no_name_software“), which suggested that it was still in development.
Later, in April, the operators started using the ransomware to target victims. The timing was no coincidence: On April 20, 2022, a user named BlackBasta posted on the underground forums XSS[.]IS and EXPLOIT[.]IN a post intended to buy and monetize corporate network access for a share of the profits.
The post, written in Russian, also specified that they were looking for organizations based in the United States, Canada, United Kingdom, Australia, and New Zealand, which suggests that the group targets specifically English-speaking countries:
Cybereason Detects and Blocks Black Basta ransomware
Similar to other ransomware operations that have emerged over the past years, the Black Basta gang follows the growing trend of double extortion. They steal sensitive files and information from their victims and later use it to extort the victims by threatening to publish the data unless the ransom is paid.
While the ransom demand is likely to vary among victims, according to reports, the group was seen demanding millions of dollars as a ransom fee:
Early in June, it was reported that the Black Basta ransomware gang has partnered with the QBot malware operation to spread their ransomware. This is, of course, not the first time that a ransomware gang partnered with QBot to use it as their main distributor.
Many of the “big players” in the ransomware field have done it before, including MegaCortex, ProLock, DoppelPaymer, Conti and Egregor. These partnerships have proven themselves in the past, and Black Basta, most likely as a step to follow the big players' lead, has decided to do the same.
The use of QBot saves time for ransomware operators. QBot has many built-in capabilities that are very useful for attackers. Some of them used to perform reconnaissance, collect data and credentials, move laterally, and download and execute payloads.
After harvesting credentials and understanding the network architecture, the attacker targets the Domain Controller, and moves laterally using PsExec. Once compromised successfully, the attackers “prepare the ground” and undertake a final procedure meant to avoid detection and prevention.
The attacker creates, on the compromised DCs, a Group Policy Object (GPO) to disable Windows Defender and tries to take down any anti-virus products. Interesting to note that this technique was also observed in the QBot-Egregor attack in the past.
The final stage of the attack is to deploy the ransomware to the targeted endpoints. To do so, the attacker uses an encoded PowerShell command that leverages WMI to push out the ransomware binary to the IP addresses contained within the a file that was created earlier in the attack, C:\Windows\pc_list.txt.
The Black Basta ransomware is the final payload in the attack. It is designed, as most ransomware, to encrypt the files on the machine, and leave a ransom note to the user.
Once executed, the ransomware deletes the virtual shadow copies of the system using vssadmin.exe, a command-line tool that manages Volume Shadow Copy Service (VSS), which captures and copies stable images for backup on running systems.
Ransomware commonly uses vssadmin.exe to delete shadow copies and other backups of files before encrypting the files themselves. This is another way to ensure that the victim will be forced to pay to decrypt the valuable files when they can neither be decrypted or retrieved from VSS:
The ransomware drops two files into %TEMP%: one is the icon for the encrypted files (named “fkdjsadasd.ico”) and the other is a .jpg file that will be used as a background image (named “dlaksjdoiwq.jpg”):
When the ransomware starts its encryption routine, it first changes the background image of the desktop, and simultaneously goes through the files and encrypts them.
The extension “.basta” is added to the encrypted files, and in each folder the malware drops the ransom note named “readme.txt”. The ransom note is customized to the victim and contains a unique id for the victim to use in the negotiation chat:
In early June, Black Basta added support for encrypting VMware ESXi virtual machines (VMs) running on enterprise Linux servers. This tactic gains popularity among different ransomware gangs, since it aligns with their enterprise targeting, and it also makes it possible to take advantage of faster encryption of multiple servers with a single command. Among those gangs are: LockBit, Hive, and Cheerscrypt.
Once executed, Black Basta looks for /vmfs/volumes, and If the path doesn’t exist, the ransomware will throw an “error” - “Path not exists in this system” and exits:
The Linux version, besides the fact that it is ESXi-centric, shares many similarities with the Windows variant. Both variants displays the same message during encryption: “Done time: %.4f seconds, encrypted: %.4f gb”:
Both variants also shares the same unique strings found in Black Basta: “ERRRRRRRROr” and “Error 755”:
Both variants ransom notes (readme.txt) are the same:
Not much is known about the new Black Basta gang, as they have not begun marketing their operation or recruiting affiliates on hacking forums. However, due to their ability to quickly amass new victims, different researchers believe that it’s not their first time.
Different speculations were raised about the group, including that they are associated with the infamous Conti gang, which was later refuted by the Conti gang:
It is pretty clear that the Black Basta gang knows what they are doing, and they want to play in the “big league” of ransomware, the same league as Conti, Ryuk, REvil, BlackMatter and others. This may be perhaps the reason behind the speculation around being a rebrand of another ransomware.
Although it may be true but not proven yet, it is also reasonable to believe that they were inspired by the “successful” ransomware groups, specifically Conti, and try to follow their way. Different researchers also mentioned that there are many similarities between the two, including the appearance of the leak Tor site, the ransom note, the payment site and behavior of the support team.
The AI-driven Cybereason Defense Platform is able to prevent the execution of the Black Basta ransomware using multi-layer protection that detects and blocks malware with threat intelligence, machine learning, and next-gen antivirus (NGAV) capabilities. Additionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to detect and prevent any attempt to encrypt files and generate a MalOpTM for it:
Using the Anti-Malware feature with the right configurations (listed in the recommendations below), the Cybereason Defense Platform will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted files. The prevention is based on machine learning, which blocks both known and unknown malware variants:
LOOKING FOR THE IOCs? CLICK ON THE CHATBOT DISPLAYED IN LOWER-RIGHT OF YOUR SCREEN FOR ACCESS or contact us for more information.
|
Initial Access |
Lateral Movement |
Execution |
Credential Access |
Discovery |
Collection |
Impact |
|
|
||||||
|
|
As part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse engineering and malware analysis teams. Lior has also been a contributing researcher to multiple threat and malware blogs including Bitbucket, Valak, Ramnit, and Racoon stealer. Prior to Cybereason, Lior led SOC operations within the Israeli Air Force.