Sectrio

Unmasking Black Basta: A Closer Look at the Notorious Ransomware Group

By admin
June 20, 2023
Unmasking Black Basta Ransomware Group A Closer Look

The Black Basta threat actor is a sophisticated cyber threat group that has emerged in recent years, targeting various organizations across multiple industries. The primary objective of the Black Basta THREAT ACTOR is to gain unauthorized access to targeted networks and exfiltrate sensitive information for intelligence gathering or financial gain. The group is known to engage in long-term campaigns, establishing a persistent presence within victim networks to maintain access and conduct further malicious activities.

Tactics and Techniques:

The Black Basta THREAT ACTOR employs a range of sophisticated tactics and techniques to achieve its objectives like,

  • Spear Phishing
  • Exploitation of Zero-Day Vulnerabilities
  • Custom Malware
  • Lateral Movement

Countermeasures:

  • Employee Awareness and Training
  • Patch Management
  • Network Segmentation
  • Advanced Threat Detection
  • Incident Response Readiness

This report is collective research based on the resources by Trend Micro, BlackBerry, Palo Alto Networks, Bleeping Computer, SOCRadar, DXC Technology etc.

Unmasking Black Basta Ransomware Group A Closer Look
Unmasking Black Basta Ransomware Group A Closer Look

Who is Black Basta?

Black Basta (AKA Black Basta) is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that first emerged in early 2022 and immediately became one of the most active RaaS threat actors in the world, racking up 19 prominent enterprise victims and more than 100 confirmed victims in its first few months of operation.

The group is known for using phishing emails and malicious attachments to deliver ransomware to their victims, and they have targeted organizations in a variety of industries.

The group’s ransom tactics use a double extortion tactic, encrypting their victim’s critical data and vital servers and threatening to publish sensitive data on the group’s public leak site.

Black Basta is believed to be a Russian-speaking group. It is assumed that Black Basta’s core membership to have spawned from the defunct Conti threat actor group due to similarities in their approach to malware development, leak sites, and communications for negotiation, payment, and data recovery. In addition to these similarities, there have been some reports that Black Basta members have been using Conti-related code in their ransomware attacks. This suggests that there may be some overlap between the two groups, either in terms of membership or collaboration.

ABB Ransomware

On May 7th, 2023, the Swiss multinational corporation ABB got attacked by a ransomware attack conducted by the Black Basta ransomware gang, a threat actor that came in sight in April 2022.

The Black Basta group used a phishing email to deliver the ransomware to an ABB employee. The employee clicked on the malicious attachment, which installed the ransomware on their computer. The ransomware then spread to other computers in ABB’s network, encrypting files on hundreds of devices.

The ransomware attack has affected the company’s Windows Active Directory, affecting hundreds of devices located over multiple locations.

ABB terminated VPN connections with its customers to contain the ransomware attack and prevent it from spreading to other networks.

History of Attacks by Black Basta

The distribution by country of Black Basta’s victim organizations from April 1 to July 31, 2022.

Black Basta Targeting Countries
Black Basta Targeting Countries

Black Basta targets chart based on country

Analysis

Black Basta Ransomware Malware

The ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The ransomware also attempts to delete shadow copies and other backups of files using vssadmin.exe, a command-line tool that manages Volume Shadow Copy Service (VSS), which captures and copies stable images for backups on running systems.

Black Basta Attack Chain

Black Basta
Black Basta Attack Chain Diagram

Black Basta Attack Chain Diagram

Tactics, Techniques and Procedures

TacticsTechniques
Initial AccessValid Accounts
Phishing
ExecutionCommand and scripting interpreter
System services
Windows Management Instrumentation
Privilege EscalationExploitation for privilege escalation
Defense EvasionModify registry
Domain policy modification
Impair defences
Reflective code loading
Credential AccessOS credential dumping
DiscoverySystem information discovery
Remote system discovery
File and directory discovery
Lateral MovementLateral tool transfer
Remote services
ExfiltrationExfiltration over C&C channel
Exfiltration over web service
ImpactInhibit system recovery
Service stop
Data encrypted for impact
Defacement

Technical Analysis

The Black Basta Ransomware, upon successfully executing its malicious payload on the compromised system, alters the desktop wallpaper to display a customized image associated with the ransomware’s activities.

Black Basta Screenshot of encrypted files
Black Basta Screenshot of encrypted files

The Black Basta Ransomware Malware is known to deploy a text file as part of its malicious activities. This file contains the Login ID that enables the affected company to establish a connection with the Ransomware Group. The purpose of this connection is to facilitate ransomware payment and initiate negotiations for the potential retrieval or release of the compromised data.

Black Basta Dropped Ransomware Note
Black Basta Dropped Ransomware Note

Dark Web Analysis

Black Basta maintains dedicated dark web pages through which they establish communication channels with victims for the purpose of negotiating ransom payments.

Black Basta Negotiation Dark Webpage
Black Basta Negotiation Dark Webpage
Black Basta Chat Screenshot
Black Basta Chat Screenshot
Black Basta Screenshot of encrypted files
Black Basta Screenshot of encrypted files
Black Basta Leaks Dark Webpage
Black Basta Leaks Dark Webpage
Black Basta contact form
Black Basta contact form

Security Recommendation

To defend against the Black Basta THREAT ACTOR and mitigate the risk of their attacks, organizations are advised to consider the following countermeasures:

  • Employee Awareness and Training: Educate employees about the risks of phishing attacks and social engineering techniques. Regular training sessions and awareness campaigns can help reduce the likelihood of successful spear phishing attempts.
  • Patch Management: Maintain a robust patch management process to promptly apply software updates and security patches. Regularly patching vulnerabilities can significantly reduce the risk of exploitation by the Black Basta THREAT ACTOR.
  • Network Segmentation: Implement network micro segmentation to limit the lateral movement of attackers within the network. This helps contain potential breaches and prevents unauthorized access to critical systems and data.
  • Advanced Threat Detection: Deploy advanced threat detection solutions, including intrusion detection and prevention systems (IDPS), endpoint protection, and security analytics platforms. These tools can help identify and block suspicious activities associated with the Black Basta THREAT ACTOR.
  • Incident Response Readiness: Establish an effective incident response plan that includes clear roles, responsibilities, and procedures for handling security incidents. Regularly test and update the plan to ensure it remains effective against evolving threats.
  • Threat Intelligence Sharing: Collaborate with industry peers and share threat intelligence information through established channels. Sharing insights and indicators of compromise (IOCs) can help organizations collectively defend against the Black Basta THREAT ACTOR and other threat actors.
  • Strong Access Controls: Implement robust access controls, including strong authentication mechanisms, privileged access management, and least privilege principles. Restricting access to sensitive systems and data reduces the attack surface for the Black Basta THREAT ACTOR.
  • Endpoint Protection: Deploy comprehensive endpoint protection solutions that include antivirus, anti-malware, and host-based intrusion detection systems (HIDS). Regularly update and monitor endpoint security to detect and mitigate potential threats.
  • Network Monitoring and Logging: Maintain comprehensive network monitoring and logging capabilities to capture and analyze network traffic, system logs, and security events. Timely detection and analysis of suspicious activities can help identify potential Black Basta THREAT ACTOR activities.
  • Encryption and Data Protection: Implement strong encryption for sensitive data, both in transit and at rest. Use encryption protocols and technologies to protect data integrity and confidentiality, reducing the impact of potential data breaches.
  • Regular Security Assessments: Conduct regular security assessments, penetration testing, and vulnerability scans to identify and address any weaknesses or vulnerabilities that could be exploited by the Black Basta threat actor. Regular assessments help ensure ongoing security readiness.

This article is attributed to Vikas Karunakarn, Aditya Kirit Katpara, Akshay Jambagi & Dipanjali Rani from Sectrio’s threat research team.

Check out: The Global OT and IoT Threat Landscape Assessment and Analysis Report 2023

The 2023 Global Threat Landscape Assessment Report | Sectrio

Reference:

  • https://dxc.com/us/en/insights/perspectives/report/dxc-security-threat-intelligence-report/june-2022/black-basta-ransomware-emerges
  • https://socradar.io/dark-web-profile-black-basta-ransomware/
  • https://www.bleepingcomputer.com/news/security/multinational-tech-firm-abb-hit-by-black-basta-ransomware-attack/
  • https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/
  • https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta
  • https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/j/black-basta-ransomware-gang-infiltrates-networks-via-qakbot,-brute-ratel-and-cobalt-strike/ioc-black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-cobalt-strike.txt

Key Points

Discover more with topics that matter to you most.

Get the latest news and insights beamed directly to you

Share

Key Points

Get the latest news and insights beamed directly to you

Share

Unmasking Black Basta Ransomware Group A Closer Look

Read More

Protecting your critical assets is only a few steps away

Scroll to Top