Black Basta
Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.[1][2][3][4][5][6]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Black Basta has used PowerShell scripts for discovery and to execute files over the network.[7][8][5] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Black Basta can use |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Black Basta can create a new service to establish persistence.[3][4] |
| Enterprise | T1486 | Data Encrypted for Impact |
Black Basta can encrypt files with the ChaCha20 cypher and using a multithreaded process to increase speed.[3][9][6][5][10][2][1][8][11] |
|
| Enterprise | T1622 | Debugger Evasion |
The Black Basta dropper can check system flags, CPU registers, CPU instructions, process timing, system libraries, and APIs to determine if a debugger is present.[11] |
|
| Enterprise | T1491 | .001 | Defacement: Internal Defacement |
Black Basta has set the desktop wallpaper on victims' machines to display a ransom note.[3][9][6][7][4][5][2][1][11] |
| Enterprise | T1480 | .002 | Execution Guardrails: Mutual Exclusion |
Black Basta will check for the presence of a hard-coded mutex |
| Enterprise | T1083 | File and Directory Discovery |
Black Basta can enumerate specific files for encryption.[6][4][5][10][2][1][8][11] |
|
| Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
The Black Basta binary can use |
| Enterprise | T1562 | .009 | Impair Defenses: Safe Mode Boot |
Black Basta can reboot victim machines in safe mode with networking via |
| Enterprise | T1490 | Inhibit System Recovery |
Black Basta can delete shadow copies using vssadmin.exe.[3][6][7][4][5][2][1][8][8][11] |
|
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Black Basta has established persistence by creating a new service named |
| .005 | Masquerading: Match Legitimate Name or Location |
The Black Basta dropper has mimicked an application for creating USB bootable drivers.[11] |
||
| Enterprise | T1112 | Modify Registry |
Black Basta can modify the Registry to enable itself to run in safe mode and to modify the icons and file extensions for encrypted files.[3][6][7][5][2][1] |
|
| Enterprise | T1106 | Native API |
Black Basta has the ability to use native APIs for numerous functions including discovery and defense evasion.[3][6][4][11] |
|
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Black Basta had added data prior to the Portable Executable (PE) header to prevent automatic scanners from identifying the payload.[11] |
| Enterprise | T1018 | Remote System Discovery |
Black Basta can use LDAP queries to connect to AD and iterate over connected workstations.[11] |
|
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
The Black Basta dropper has been digitally signed with a certificate issued by Akeo Consulting for legitimate executables used for creating bootable USB drives.[11] |
| Enterprise | T1082 | System Information Discovery |
Black Basta can enumerate volumes and collect system boot configuration and CPU information.[3][6] |
|
| Enterprise | T1007 | System Service Discovery |
Black Basta can check whether the service name FAX is present.[6] |
|
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Black Basta has been downloaded and executed from malicious Excel files.[7][8] |
| Enterprise | T1497 | Virtualization/Sandbox Evasion |
Black Basta can make a random number of calls to the |
|
| .001 | System Checks |
Black Basta can check system flags and libraries, process timing, and API's to detect code emulation or sandboxing.[1][11] |
||
| Enterprise | T1047 | Windows Management Instrumentation |
Black Basta has used WMI to execute files over the network.[5] |
|
References
- Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
- Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
- Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
- Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.
- Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
- Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023.
- Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
- Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023.
- Ballmer, D. (2022, May 6). Black Basta: Rebrand of Conti or Something New?. Retrieved March 7, 2023.
- Sharma, S. and Hegde, N. (2022, June 7). Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems. Retrieved March 8, 2023.
- Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.