- Informazioni sulla sicurezza
- Ransomware Spotlight
- Ransomware Spotlight: Black Basta
In this section, we discuss Trend Micro™ Smart Protection Network™ data on Black Basta’s activity from April 1 to July 31, 2022, which refers to detections of the ransomware’s attempts to compromise organizations.
Just two countries accounted for over half of the group’s 44 ransomware attack attempts during this period, which were concentrated in the US at 43%, with Austria a distant second at 15%. As Black Basta has sought to purchase network access credentials for organizations located specifically in the US, among other countries, this may explain the higher number of attacks against US-based businesses.
Figure 1. The countries with the most Black Basta ransomware attack attempts in terms of infected machines from April 1 to July 31, 2022
Source: Trend Micro™ Smart Protection Network™
As of this writing, our detections show that Black Basta activity is spread across many different industries. The group has been observed targeting businesses involved in technology, insurance, manufacturing, and utilities.
Although Black Basta is a relatively new arrival to the ransomware scene, its detections have been on a steady climb since the ransomware gang surfaced in April, peaking at 22 attack attempts in June before tapering down to 11 the following month.
Figure 2. The numbers of detections of Black Basta ransomware attack attempts in terms of infected machines in each month from April 1 to July 31, 2022
Source: Trend Micro Smart Protection Network
In this section, we look into the attacks recorded on the Black Basta group’s leak site, which represent successfully compromised organizations that, as of this writing, have refused to pay ransom. Our detections, which pertain to Trend Micro customers, captured only a fraction of the victims found in Black Basta’s leak site. Trend Micro’s open-source intelligence (OSINT) research and investigation of the site show that from April 1 to July 31, 2022, the group compromised a total of 80 organizations.
The bulk of Black Basta’ victims were based in North America, which had a victim count of 44, followed by Europe and the Asia-Pacific. More specifically, the US was at the receiving end of most of the attacks, with 38 affected organizations. Many confirmed ransomware attacks also took place in Germany, with 19 victims.
Figure 3. The distribution by region of Black Basta’s victim organizations from April 1 to July 31, 2022
Sources: Black Basta’s leak site and Trend Micro’s OSINT research
Figure 4. The distribution by country of Black Basta’s victim organizations from April 1 to July 31, 2022
Sources: Black Basta’s leak site and Trend Micro’s OSINT research
Black Basta’s attacks affected a variety of organizations. Construction businesses topped the list with a victim count of 10, while businesses involved in professional services came in second with nine victims. Medium-size organizations made up the lion’s share of recorded Black Basta victims.
Figure 5. The distribution by industry of Black Basta’s victim organizations from April 1 to July 31, 2022
Sources: Black Basta’s leak site and Trend Micro’s OSINT research
Figure 6. The distribution by organization size of Black Basta’s victim organizations from April 1 to July 31, 2022
Sources: Black Basta’s leak site and Trend Micro’s OSINT research
As Black Basta’s operations are based on the RaaS model, its infection chain might vary depending on the target. The infection chain illustrated below details the variety of tactics and tools the group uses.
Figure 7. Black Basta’s infection chain
Figure 9. An example of the contents of the ransom note .txt file
Initial access | Execution | Privilege escalation | Defense evasion | Credential access | Discovery | Lateral movement | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|
T1078 - Valid accounts T1566.001 - Phishing: Spear-phishing attachment | T1059.003 - Command and scripting interpreter T1569.002 - System services: Service execution T1047 - Windows Management Instrumentation | T1068 - Exploitation for privilege escalation | T1112 - Modify registry T1484.001 - Domain policy modification: Group policy modification T1562.001 - Impair defenses: Disable or modify tools T1562.009 - Impair defenses: Safe mode boot T1620 - Reflective code loading | T1003 - OS credential dumping | T1082 - System information discovery T1018 - Remote system discovery T1083 - File and directory discovery | T1570 - Lateral tool transfer T1021.001 - Remote services: Remote Desktop Protocol | T1041 - Exfiltration over C&C channel T1567 - Exfiltration over web service | T1490 - Inhibit system recovery T1489 - Service stop T1486 - Data encrypted for impact Encrypts files and adds the extension “.basta”. T1491 - Defacement |
Security teams can keep an eye out for the presence of these tools, exploit, and other malware that are typically used in Black Basta’s ransomware attacks:
Initial access | Discovery | Privilege escalation | Credential access | Lateral movement | Execution | Exfiltration | Command and control | Impact |
---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
Security researchers have speculated that Black Basta might be an offshoot of the infamous Conti ransomware gang. It has also exhibited similarities to the Black Matter ransomware gang, including a resemblance between their respective leak sites. Its possible connection to these ransomware groups might explain the high level of in-house expertise behind Black Basta’s attacks.
In defending systems against threats like Black Basta, organizations can benefit from establishing security frameworks that can allocate resources systematically for establishing solid defenses against ransomware. Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises:
The indicators of compromise (IOCs) for the threat discussed in this article can be found here. Actual indicators might vary per attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.