Under Attack? Contact Us Start a Free Demo

Black Basta Ransomware: Why You Should Worry And How You Can Defend

What is Black Basta?

Black Basta is ransomware as a service (RaaS) that appeared in April 2022. There is, however, evidence that it has been developed since February. Black Basta operators employ a double extortion technique. That is, they encrypt files on targeted organizations’ systems and demand a ransom for decryption. In addition to encrypting files on targeted organizations’ systems and demanding ransom, they also maintain a dark web leak site. Here, they threaten to publish sensitive information if a ransom is not paid.

From the time Black Basta emerged, Black Basta affiliates were very active in deploying ransomware and extorting organizations. According to the information posted on the leak site, Black Basta affiliates have compromised over 75 organizations despite only being active for a few months.

The ransomware is written in C++ and affects both Windows and Linux systems. The ransomware encrypts users’ data with ChaCha20 and RSA-4096, and in order to speed up the encryption process, it encrypts 64-byte chunks with 128 bytes of unencrypted data between each region. During the encryption process, the faster ransomware is able to compromise systems, the more likely it is that defenses will be activated before the system is compromised. It is one of the key factors affiliates look for when joining a Ransomware-as-a-Service company.

blackbasta ransom note

Black basta Ransom Background and Note

 

Black Basta Victim List Blog

Blaack Basta Ransomware Blog – Victim List

Why is Black Basta so dangerous?

Besides the rapidly-growing victim list and the plethora of variants, Black Basta ransomware is notable for some other reasons. Among Black Basta’s victims are energy and utility companies across the globe and in the US.

In addition to versions that target Windows systems, VMWare ESXi variants of Black Basta have been discovered targeting Linux virtual machines as well.

Furthermore, many attacks have utilized Qakbot (also known as QBot) to spread throughout an organization, perform reconnaissance, steal data, and execute payloads.

The ransomware spawns a mutex with a string of dsajdhas.0 to ensure a single instance of the malware is running at a time. Then it will iterate through the entire file system, encrypting files with a file extension of .basta.

It writes the <random-charecters>.ico and <random-charecters>.jpg files to the %TEMP% directory. The .jpg file is leveraged to overwrite the desktop background to the ransom warning as shown in the aforementioned figure.

Additionally, a group policy object is created on compromised domain controllers to disable Windows Defender and anti-virus software.

Tactics, Techniques and Procedures

We have observed Black Basta affiliates leveraging the following TTPs:

Tactic / Technique Notes
TA0001 Initial Access
T1566.001. Phishing: Spear phishing Attachment Victims receive spear phishing emails with attached malicious zip files – typically password protected. That contains malicious doc including .doc, .pdf, .xls
TA0002 Execution
T1569.002. System Services: Service Execution Black Basta has installed and used PsExec to execute payloads on remote hosts.
T1047. Windows Management Instrumentation Utilizes Invoke-TotalExec to push out the ransomware binary.
T1059.001. Command and Scripting Interpreter: PowerShell Black Basta has encoded PowerShell scripts to download additional scripts.
TA0003 Persistence
T1136. Create Account Black Basta threat actors created accounts with names such as temp, r, or admin.
T1098. Account Manipulation Added newly created accounts to the administrators’ group to maintain elevated access.
T1543.003. Create or Modify System Process: Windows Service Creates benign-looking services for the ransomware binary.
T1574.001. Hijack Execution Flow: DLL Search Order Hijacking Black Basta used Qakbot, which has the ability to exploit Windows 7 Calculator to execute malicious payloads.
TA0004 Privilege Escalation
T1484.001. Domain Policy Modification: Group Policy Modification Black Basta can modify group policy for privilege escalation and defense evasion.
T1574.001. Hijack Execution Flow: DLL Search Order Hijacking Black Basta used Qakbot, which has the ability to exploit Windows 7 Calculator to execute malicious payloads.
T1543.003. Create or Modify System Process: Windows Service Creates benign-looking services for the ransomware binary.
TA0005 Defense Evasion
T1484.001. Domain Policy Modification: Group Policy Modification Black Basta can modify group policy for privilege escalation and defense evasion.
T1218.010. System Binary Proxy Execution: Regsvr32 Black Basta has used regsvr32.exe to execute a malicious DLL.
T1070.004. Indicator Removal on Host: File Deletion Attempts to delete malicious batch files.
T1112. Modify Registry Black Basta makes modifications to the Registry.
T1140. Deobfuscate/Decode Files or Information Initial malicious .zip file bypasses some antivirus detection due to password protection.
T1562.001. Impair Defenses: Disable or Modify Tools Disables Windows Defender with batch scripts, such as d.bat or defof.bat.
T1562.004. Impair Defenses: Disable or Modify System Firewall Uses batch scripts, such as rdp.bat or SERVI.bat, to modify the firewall to allow remote administration and RDP.
T1562.009. Impair Defenses: Safe Boot Mode Uses bcdedit to boot the device in safe mode.
T1574.001. Hijack Execution Flow: DLL Search Order Hijacking Black Basta used Qakbot, which has the ability to exploit Windows 7 Calculator to execute malicious payloads.
T1622. Debugger Evasion Uses IsDebuggerPresent to check if processes are being debugged.
TA0006 Credential Access
T1555. Credentials from Password Stores Black Basta uses Mimikatz to dump passwords.
TA0007 Discovery
T1087.002. Account Discovery: Domain Account Used commands such as net user /domain and net group /domain.
T1016. System Network Configuration Discovery Lists internal IP addresses to target in C:\Windows\pc_list.txt – typically found on the Domain Controller.
T1082. System Information Discovery Uses GetComputerName to query the computer name.
T1622. Debugger Evasion Uses IsDebuggerPresent to check if processes are being debugged.
TA0008 Lateral Movement
T1021.001. Remote Services: Remote Desktop Protocol Black Basta has used RDP for lateral movement.
TA0009 Collection
T1560.001. Archive Collected Data: Archive via Utility
TA0010 Exfiltration
T1567. Exfiltration over Web Service
TA0011 Command and Control
T1219. Remote Access Software Black Basta has installed and used legitimate tools such as TeamViewer and AnyConnect on targeted systems.
T1573. Encrypted Channel Uses Qakbot primarily and Cobalt Strike.
TA0040 Impact
T1486. Data Encrypted for Impact Black Basta modifies the Desktop background by adding a .jpg in C:\Temp and creating a registry key HKCU\Control Panel\Desktop. Additionally modifies the registry to change the icon of encrypted files.

It encrypts files excluding those with a .exe, .cmd, .bat and .com extension. Uses ChaCha20 or RSA-4096 to encrypt victims.

T1489. Service Stop Uses sc stop and taskkill to stop services.
T1490. Inhibit System Recovery Black Basta deletes Volume Shadow Copies using vssadmin.

Table 1. Tactics, techniques and procedures for Black Basta activity.

How to Stay Protected from Black Basta Ransomware?

There are several ways that individuals and organizations can protect themselves against Black Basta and other types of ransomware. One of the most effective ways is to take regularly back up important data to an external hard drive or cloud-based storage service. This way, if the data is encrypted or lost due to ransomware, it can be restored from the backup. Other protective measures include deploying state-of-art endpoint protection software like ThreatResponder.

NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks.

It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.

Indicators of compromise (IOCs)

SHA256 Detection
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa Ransom.Win32.BASTACRYPT.THDBGBB
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a Ransom.Win32.BASTACRYPT.YXCD2
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e Ransom.Win32.BASTACRYPT.THDBIBB
17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90 Ransom.Win32.BASTACRYPT.YXCD2
a54fef5fe2af58f5bd75c3af44f1fba22b721f34406c5963b19c5376ab278cd1 Ransom.Win32.BASTACRYPT.THDBGBB
1d040540c3c2ed8f73e04c578e7fb96d0b47d858bbb67e9b39ec2f4674b04250 Ransom.Win32.BASTACRYPT.YXCD2
2967e1d97d32605fc5ace49a10828800fbbefcc1e010f6004a9c88ef3ecdad88 Ransom.Win32.BASTACRYPT.YXCD2.note
f088e6944b2632bb7c93fa3c7ba1707914c05c00f9491e033f78a709d65d7cff Ransom.Win32.BASTACRYPT.YXCD2.note

For QAKBOT-related samples:

SHA256 Detections
a48ac26aa9cdd3bc7f219a84f49201a58d545fcebf0646ae1d676c7e43c6ac3e TrojanSpy.Win32.QAKBOT.YACEDT
82c73538322c8b90c25a99a7afc2fafcd7e7e03fe920a3331ef0003300ac10b8 TrojanSpy.Win32.QAKBOT.YACEDT
82c73538322c8b90c25a99a7afc2fafcd7e7e03fe920a3331ef0003300ac10b8 TrojanSpy.Win32.QAKBOT.YACEDT
2083e4c80ade0ac39365365d55b243dbac2a1b5c3a700aad383c110db073f2d9 TrojanSpy.Win32.QAKBOT.YACEDT
2e890fd02c3e0d85d69c698853494c1bab381c38d5272baa2a3c2bc0387684c1 TrojanSpy.Win32.QAKBOT.YACEDT
2d906ed670b24ebc3f6c54e7be5a32096058388886737b1541d793ff5d134ccb TrojanSpy.Win32.QAKBOT.YACEDT
72fde47d3895b134784b19d664897b36ea6b9b8e19a602a0aaff5183c4ec7d24 TrojanSpy.Win32.QAKBOT.YACEDT
ffa7f0e7a2bb0edf4b7785b99aa39c96d1fe891eb6f89a65d76a57ff04ef17ab TrojanSpy.Win32.QAKBOT.YACEDT
1e7174f3d815c12562c5c1978af6abbf2d81df16a8724d2a1cf596065f3f15a2 TrojanSpy.Win32.QAKBOT.YACEDT
130af6a91aa9ecbf70456a0bee87f947bf4ddc2d2775459e3feac563007e1aed Trojan.Win64.QUAKNIGHTMARE.YACEJT
81a6c44682b981172cd85ee4a150ac49f838a65c3a0ed822cb07a1c19dab4af5 Ransom.Win32.BASTACRYPT.YACEDT
94428d7620fff816cb3f65595978c6abb812589861c38052d30fa3c566e32256 Ransom.Win32.BASTACRYPT.YACEDT
c9df12fbfcae3ac0894c1234e376945bc8268acdc20de72c8dd16bf1fab6bb70 Ransom.Win32.BASTACRYPT.YACEJT
0d3af630c03350935a902d0cce4dc64c5cfff8012b2ffc2f4ce5040fdec524ed Trojan.Win32.BLACKBASTA.YXCEJ
3fe73707c2042fefe56d0f277a3c91b5c943393cf42c2a4c683867d6866116fc Trojan.Win32.BLACKBASTA.YXCEJ
3fe73707c2042fefe56d0f277a3c91b5c943393cf42c2a4c683867d6866116fc Trojan.Win32.BLACKBASTA.YXCEJ
0e2b951ae07183c44416ff6fa8d7b8924348701efa75dd3cb14c708537471d27 Trojan.Win32.BLACKBASTA.YXCEJ
8882186bace198be59147bcabae6643d2a7a490ad08298a4428a8e64e24907ad Trojan.Win32.BLACKBASTA.YXCEJ
df35b45ed34eaca32cda6089acbfe638d2d1a3593d74019b6717afed90dbd5f8 Trojan.Win32.BLACKBASTA.YXCEJ
b8aa8abac2933471e4e6d91cb23e4b2b5a577a3bb9e7b88f95a4ddc91e22b2cb TrojanSpy.VBS.KEYLOAD.A
fb3340d734c50ce77a9f463121cd3b7f70203493aa9aff304a19a8de83a2d3c9 TrojanSpy.VBS.KEYLOAD.A
5ab605b1047e098638d36a5976b00379353d84bd7e330f5778ebb71719c36878 TrojanSpy.VBS.KEYLOAD.A
9707067b4f53caf43df5759fe40e9121f832e24da5fe5236256ad0e258277d88 TrojanSpy.VBS.KEYLOAD.A
9707067b4f53caf43df5759fe40e9121f832e24da5fe5236256ad0e258277d88 TrojanSpy.VBS.KEYLOAD.A
d7580fd8cc7243b7e16fd97b7c5dea2d54bcba08c298dc2d82613bdc2bd0b4bf TrojanSpy.VBS.KEYLOAD.A
919d1e712f4b343856cb920e4d6f5d20a7ac18d7386673ded6968c945017f5fd TrojanSpy.VBS.KEYLOAD.A
012826db8d41ff4d28e3f312c1e6256f0647bf34249a5a6de7ecac452d32d917 TrojanSpy.VBS.KEYLOAD.A
d36a9f3005c5c24649f80722e43535e57fd96729e827cdd2c080d17c6a53a893 TrojanSpy.VBS.KEYLOAD.A
580ce8b7f5a373d5d7fbfbfef5204d18b8f9407b0c2cbf3bcae808f4d642076a Backdoor.Win32.COROXY.YACEKT

Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).