The Black Basta threat actor is a sophisticated cyber threat group that has emerged in recent years, targeting various organizations across multiple industries. The primary objective of the Black Basta THREAT ACTOR is to gain unauthorized access to targeted networks and exfiltrate sensitive information for intelligence gathering or financial gain. The group is known to engage in long-term campaigns, establishing a persistent presence within victim networks to maintain access and conduct further malicious activities.
Tactics and Techniques:
The Black Basta THREAT ACTOR employs a range of sophisticated tactics and techniques to achieve its objectives like,
- Spear Phishing
- Exploitation of Zero-Day Vulnerabilities
- Custom Malware
- Lateral Movement
- Employee Awareness and Training
- Patch Management
- Network Segmentation
- Advanced Threat Detection
- Incident Response Readiness
This report is collective research based on the resources by Trend Micro, BlackBerry, Palo Alto Networks, Bleeping Computer, SOCRadar, DXC Technology etc.
Table of Contents
Who is Black Basta?
Black Basta (AKA Black Basta) is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that first emerged in early 2022 and immediately became one of the most active RaaS threat actors in the world, racking up 19 prominent enterprise victims and more than 100 confirmed victims in its first few months of operation.
The group is known for using phishing emails and malicious attachments to deliver ransomware to their victims, and they have targeted organizations in a variety of industries.
The group’s ransom tactics use a double extortion tactic, encrypting their victim’s critical data and vital servers and threatening to publish sensitive data on the group’s public leak site.
Black Basta is believed to be a Russian-speaking group. It is assumed that Black Basta’s core membership to have spawned from the defunct Conti threat actor group due to similarities in their approach to malware development, leak sites, and communications for negotiation, payment, and data recovery. In addition to these similarities, there have been some reports that Black Basta members have been using Conti-related code in their ransomware attacks. This suggests that there may be some overlap between the two groups, either in terms of membership or collaboration.
On May 7th, 2023, the Swiss multinational corporation ABB got attacked by a ransomware attack conducted by the Black Basta ransomware gang, a threat actor that came in sight in April 2022.
The Black Basta group used a phishing email to deliver the ransomware to an ABB employee. The employee clicked on the malicious attachment, which installed the ransomware on their computer. The ransomware then spread to other computers in ABB’s network, encrypting files on hundreds of devices.
The ransomware attack has affected the company’s Windows Active Directory, affecting hundreds of devices located over multiple locations.
ABB terminated VPN connections with its customers to contain the ransomware attack and prevent it from spreading to other networks.
History of Attacks by Black Basta
The distribution by country of Black Basta’s victim organizations from April 1 to July 31, 2022.
Black Basta targets chart based on country
Black Basta Ransomware Malware
The ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The ransomware also attempts to delete shadow copies and other backups of files using vssadmin.exe, a command-line tool that manages Volume Shadow Copy Service (VSS), which captures and copies stable images for backups on running systems.
Black Basta Attack Chain
Black Basta Attack Chain Diagram
Tactics, Techniques and Procedures
|Command and scripting interpreter
|Windows Management Instrumentation
|Exploitation for privilege escalation
|Domain policy modification
|Reflective code loading
|OS credential dumping
|System information discovery
|Remote system discovery
|File and directory discovery
|Lateral tool transfer
|Exfiltration over C&C channel
|Exfiltration over web service
|Inhibit system recovery
|Data encrypted for impact
The Black Basta Ransomware, upon successfully executing its malicious payload on the compromised system, alters the desktop wallpaper to display a customized image associated with the ransomware’s activities.
The Black Basta Ransomware Malware is known to deploy a text file as part of its malicious activities. This file contains the Login ID that enables the affected company to establish a connection with the Ransomware Group. The purpose of this connection is to facilitate ransomware payment and initiate negotiations for the potential retrieval or release of the compromised data.
Dark Web Analysis
Black Basta maintains dedicated dark web pages through which they establish communication channels with victims for the purpose of negotiating ransom payments.
To defend against the Black Basta THREAT ACTOR and mitigate the risk of their attacks, organizations are advised to consider the following countermeasures:
- Employee Awareness and Training: Educate employees about the risks of phishing attacks and social engineering techniques. Regular training sessions and awareness campaigns can help reduce the likelihood of successful spear phishing attempts.
- Patch Management: Maintain a robust patch management process to promptly apply software updates and security patches. Regularly patching vulnerabilities can significantly reduce the risk of exploitation by the Black Basta THREAT ACTOR.
- Network Segmentation: Implement network micro segmentation to limit the lateral movement of attackers within the network. This helps contain potential breaches and prevents unauthorized access to critical systems and data.
- Advanced Threat Detection: Deploy advanced threat detection solutions, including intrusion detection and prevention systems (IDPS), endpoint protection, and security analytics platforms. These tools can help identify and block suspicious activities associated with the Black Basta THREAT ACTOR.
- Incident Response Readiness: Establish an effective incident response plan that includes clear roles, responsibilities, and procedures for handling security incidents. Regularly test and update the plan to ensure it remains effective against evolving threats.
- Threat Intelligence Sharing: Collaborate with industry peers and share threat intelligence information through established channels. Sharing insights and indicators of compromise (IOCs) can help organizations collectively defend against the Black Basta THREAT ACTOR and other threat actors.
- Strong Access Controls: Implement robust access controls, including strong authentication mechanisms, privileged access management, and least privilege principles. Restricting access to sensitive systems and data reduces the attack surface for the Black Basta THREAT ACTOR.
- Endpoint Protection: Deploy comprehensive endpoint protection solutions that include antivirus, anti-malware, and host-based intrusion detection systems (HIDS). Regularly update and monitor endpoint security to detect and mitigate potential threats.
- Network Monitoring and Logging: Maintain comprehensive network monitoring and logging capabilities to capture and analyze network traffic, system logs, and security events. Timely detection and analysis of suspicious activities can help identify potential Black Basta THREAT ACTOR activities.
- Encryption and Data Protection: Implement strong encryption for sensitive data, both in transit and at rest. Use encryption protocols and technologies to protect data integrity and confidentiality, reducing the impact of potential data breaches.
- Regular Security Assessments: Conduct regular security assessments, penetration testing, and vulnerability scans to identify and address any weaknesses or vulnerabilities that could be exploited by the Black Basta threat actor. Regular assessments help ensure ongoing security readiness.
This article is attributed to Vikas Karunakarn, Aditya Kirit Katpara, Akshay Jambagi & Dipanjali Rani from Sectrio’s threat research team.