Black Basta ransomware is mutating, and this has several implications

By Prayukth K V
June 29, 2022
Black Basta ransomware is mutating

New variants of the Black Basta ransomware are now emerging in the wild and routinely turning up in our global honeypots. According to online reports, Black Basta has managed to make many victims pay a ransom across US, Singapore, UAE, UK, India, and Australia since it was first discovered in the wild in February 2022. 

Its emergence as a massive threat within just 2 months of its launch points to a new trend. Hackers are betting on faster hit-and-run tactics to draw large sums of money as ransom within a short period of time, sell the code to other groups and move on (either to develop new malware or for an extended vacation). The malware development and release cycles have been shrunk in response to law enforcement agencies targeting third-party platforms involved in money laundering and the conversion of cryptocurrencies. As law enforcement agencies are tracking the movement of money, hackers are aware that they have less time to encash their stolen wealth and exit the ecosystem.

Also read: How to get started with OT security

Black Basta is targeting a wide range of victims across verticals such as manufacturing, transportation, utilities, maritime, and government agencies. It has also been associated with at least one phishing campaign targeting oil and gas pipeline companies based in Europe.

Discovering multiple Black Basta variants

Sectrio’s threat research team has discovered multiple Black Basta variants including 2 which seemed to have been developed exclusively for ransomware-as-a-service end-use (with two back doors). The RaaS version has extensively targeted corporate networks and sensitive data and access credentials. Data is first exfiltrated and then the encryption process is initiated. A newer variant released in late May is targeting virtual machines running on Linux servers. This variant works to encrypt multiple servers instantly by searching for /vmfs/volumes or locations housing VMs within these servers.      

The list of victims is published on a blog site (Basta news) maintained by the actors behind this ransomware. While the overall operations seem to be copied from the playbooks of threat actors such as the notorious Conti ransomware group, the emergence of multiple variants indicates ongoing research designed to develop more potent variants to meet specific end-user requirements of hackers.

Also Read: Complete Guide to Cyber Threat Intelligence Feeds

A glut of new variants could also confuse threat detection engines and threat researchers. We suspect that the Basta group has already moved on from this ransomware and that the development work has been subcontracted to other groups for a commission or other considerations.    

After multiple cycles of variations (some of which could be AI-driven), the ransomware will be completely unrecognizable and may slip through existing signature-based detection mechanisms. If such updates are then passed on to other variants, then the detection challenge will grow exponentially and single ransomware can bring many industries and agencies to a complete halt if adequate cybersecurity measures are not already in place.    

To find out if your IoT, OT, and IT deployments are secure and protected from Black Basta and other potent ransomware, schedule a comprehensive threat assessment program with Sectrio.

Comprehensive Asset Discovery with Vulnerability and Threat Assessment
Book a comprehensive threat assessment with Sectrio

Book a demo now to see our IoT-OT-IT converged cybersecurity solution in action

Key Points

Get the latest news and insights beamed directly to you


    Key Points

    Get the latest news and insights beamed directly to you


      Black Basta ransomware is mutating

      Read More

      Protecting your critical assets is only a few steps away

      Scroll to Top