Ransomware Spotlight: Black Basta
- External data reports that a user named “Black Basta” posted on underground forums seeking corporate network access credentials, offering a share of the profit from their attacks as payment. These reports are supported by the fact that a unique ID is hard-coded in each Black Basta build, which could also mean that the ransomware gang does not distribute its malware sporadically.
- Our internal telemetry shows another set of samples, which were monitored within a 72-hour time frame, that were using Qakbot. The malware is downloaded and executed from a malicious Excel file and then executes certain PowerShell commands as part of its staging phase
- Black Basta uses PowerShell scripts to scan information about the compromised system or network.
- It uses Qakbot’s and Cobeacon’s information-gathering capabilities to scan the compromised system or network.
- It uses third-party tools such as Netcat to scan the compromised system or network.
- Black Basta uses a batch script containing PowerShell commands to disable antimalware applications.
- It uses Group Policy Objects (GPOs) to disable Windows Defender and Security Center.
- It reboots the victim’s computer in safe mode to circumvent any antimalware applications.
- Black Basta exploits the PrintNightmare vulnerability (CVE-2021-34527) to perform privileged operations and deliver the Cobalt Strike beacon (aka Cobeacon) or other payloads.
- Black Basta uses Mimikatz to dump credentials.
- Black Basta uses different tools and pieces of malware to spread its ransomware to other remote systems in the network:
- Windows Management Instrumentation (WMI)
- Black Basta uses Cobeacon to exfiltrate the stolen data on an established command-and-control (C&C) server.
- It uses Rclone to exfiltrate data from compromised systems.
- Black Basta uses the ChaCha20 algorithm to encrypt files. The ChaCha20 encryption key is then encrypted with a public RSA-4096 key that is included in the executable.
- Multiple builds of Black Basta ransomware have been found in the wild
- One build restarts the victim’s system in safe mode, most likely for evasion purposes, before performing encryption. This build also modifies the “Fax” service to enable it to run in safe mode and with service-level access.
- Another build contains only the ransomware’s core capabilities, such as wallpaper defacement, file encryption, and deletion of shadow copies.
- A newly found build has a new addition: the -bomb argument, which theoretically allows the ransomware to automatically target all connected machines for encryption.
- The Linux build of the ransomware targets the folder /vmfs/volumes, where images from virtual machines are contained, for encryption. To encrypt other folders, the ransomware actors include the -forcepath argument.
- Black Basta displays a ransomware note as the victim’s wallpaper directing them to a .txt file with more details.
Other technical details
- Black Basta avoids encrypting files in these folders:
- Local Settings
- Application Data
- It avoids encrypting files with these strings in their file names:
- readme.txt (the ransom note)
- dlaksjdoiwq.jpg (a desktop wallpaper found in the %TEMP% folder)
- fkdjsadasd.ico (an icon used for encrypted files, found in the %TEMP% folder)
- It drops a ransom note as a .txt file in an encrypted folder in the victim’s machine.
Figure 9. An example of the contents of the ransom note .txt file
MITRE ATT&CK tactics and techniques
|Initial access||Execution||Privilege escalation||Defense evasion||Credential access||Discovery||Lateral movement||Exfiltration||Impact|
T1078 - Valid accounts
T1566.001 - Phishing: Spear-phishing attachment
T1059.003 - Command and scripting interpreter
T1569.002 - System services: Service execution
T1047 - Windows Management Instrumentation
T1068 - Exploitation for privilege escalation
T1112 - Modify registry
T1484.001 - Domain policy modification: Group policy modification
T1562.001 - Impair defenses: Disable or modify tools
T1562.009 - Impair defenses: Safe mode boot
T1620 - Reflective code loading
T1003 - OS credential dumping
T1082 - System information discovery
T1018 - Remote system discovery
T1083 - File and directory discovery
T1570 - Lateral tool transfer
T1021.001 - Remote services: Remote Desktop Protocol
T1041 - Exfiltration over C&C channel
T1567 - Exfiltration over web service
T1490 - Inhibit system recovery
T1489 - Service stop
T1486 - Data encrypted for impact
Encrypts files and adds the extension “.basta”.
T1491 - Defacement
Summary of tools, exploit, and other malware used
Security teams can keep an eye out for the presence of these tools, exploit, and other malware that are typically used in Black Basta’s ransomware attacks:
|Initial access||Discovery||Privilege escalation||Credential access||Lateral movement||Execution||Exfiltration||Command and control||Impact|
Security researchers have speculated that Black Basta might be an offshoot of the infamous Conti ransomware gang. It has also exhibited similarities to the Black Matter ransomware gang, including a resemblance between their respective leak sites. Its possible connection to these ransomware groups might explain the high level of in-house expertise behind Black Basta’s attacks.
In defending systems against threats like Black Basta, organizations can benefit from establishing security frameworks that can allocate resources systematically for establishing solid defenses against ransomware. Here are some best practices that can be included in these frameworks:
Audit and inventory
- Take an inventory of assets and data.
- Identify authorized and unauthorized devices and software.
- Make an audit of event and incident logs.
Configure and monitor
- Manage hardware and software configurations.
- Grant admin privileges and access only when necessary to an employee’s role.
- Monitor network ports, protocols, and services.
- Activate security configurations on network infrastructure devices such as firewalls and routers.
- Establish a software allowlist that only executes legitimate applications.
Patch and update
- Conduct regular vulnerability assessments.
- Perform patching or virtual patching for operating systems and applications.
- Update software and applications to their latest versions.
Protect and recover
- Implement data protection, backup, and recovery measures.
- Enable multifactor authentication (MFA).
Secure and defend
- Employ sandbox analysis to block malicious emails.
- Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
- Detect early signs of an attack such as the presence of suspicious tools in the system.
- Use advanced detection technologies such as those powered by AI and machine learning.
Train and test
- Regularly train and assess employees on security skills.
- Conduct red-team exercises and penetration tests.
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises:
- Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
- Trend Micro Cloud One™ – Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
- Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
- Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
Indicators of compromise (IOCs)
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report