Let’s Talk About Black Basta Ransomware: An In-depth Analysis

Malware

Share Blog Post

Origin: April 2022

Aliases: Basta News, Black Basta Blog

Targeted Sectors: Real-estate, Insurance, Healthcare, Banking, Manufacturing, Financial Services, Chemicals, Food & Beverage, Metals & Mining, Business Services

Targeted Regions: United States, Canada, Europe, United Kingdom, Australia, and New Zealand

Motive: Data Theft

Infection Vectors: Phishing email, Social Engineering, Torrent Websites, Malicious Ads

Introduction

Black Basta is a new ransomware gang that has risen to prominence after breaching the networks of at least 50 firms across industries, in a matter of few months. So far, ransomware attacks by the group have resulted in multi-million dollar crimes, launching double-extortion attacks around the world. The Black Basta ransomware moves so quickly that it rarely causes symptoms that usually help alert defenders to any potential compromise or infection.

The ransomware group, which first appeared in the public eye in April, is still in its early stages. Even so, by adapting to new malware tools and hacking techniques, it is making rapid progress in the cyber-offensive terrain. The ransomware has already infected companies such as Deustche Windtechnick and the American Dental Association.

Infection Vector and Exploitation Techniques

Cybercriminals primarily spread malware (including ransomware) through phishing and social engineering tactics. The case of Black Basta ransomware is no different either. Its operators typically disguise the malware in various ways to carry out successful exploitation.

Infectious files come in a variety of formats, such as archives (ZIP, RAR), executables (.exe,.run), Microsoft Office and PDF documents, JavaScript, and so on. When such a file is opened, the infection process begins.
Stealthy and deceptive downloads, untrustworthy download channels. For e.g, unofficial and free file-hosting websites; peer-to-peer sharing networks.
Malicious attachments/links in spam emails and messages, online ad scams, cracked software and programs on malicious sites such as Torrent, and fake updates are among the most common distribution methods.

Operational Details

The ransomware hacks into an existing Windows service and uses it to launch the ransomware decryptor executable. The ransomware then changes the wallpaper to display a message: “Your network is encrypted by the Black Basta group.”
Black Basta ransomware utilizes the ChaCha20 algorithm to encrypt files. Each folder on the encrypted device contains a readme.txt file that has information about the attack and contains a link and a unique ID to log in to the negotiation chat session with the threat actors.

The Double Extortion Scheme

Black Basta, like other enterprise-focused ransomware operations, employs a double extortion scheme that involves stealing confidential data before encrypting it in order to threaten victims with the public release of the stolen data.
The threat actors threaten to leak the stolen data if payment is not made within the seven days of the attack, and promise to secure data after a ransom is paid.
The extortion phase of the gang's attacks is carried out on its Tor site, Basta News, which contains a list of all the victims who have not paid the ransom.

Attack Topography

The Black Basta Ransomware group targets a wide range of industries, although real estate, manufacturing, and financial services are the most common. In addition to these industries, the gang has already disrupted insurance, healthcare, finance, chemicals, food and beverage, metals and mining, and business services.

According to sources, the Ransomware group has been on the lookout for businesses in the United States, Canada, Europe, the United Kingdom, Australia, and New Zealand that use English as their primary communication language.

Attack on VMware ESXi Servers

The Black Basta ransomware was initially targeting only Windows-based systems, but the most recent ransomware binary now targets VMware virtual machines (VMs). On ESXi-based systems and servers, the latest variant appeared to encrypt VMs stored in the volumes folder (/vmfs/volumes).

The resources on the servers, generally, are much greater than on a typical system. Therefore, Black Basta does not encrypt the entire file, but instead only partially encrypts it. Black Basta accomplishes this by encrypting only 64-byte blocks of a file, separated by 128-byte blocks. Using these types of mechanisms allows the ransomware to encrypt files much more quickly.

Partnership and Rebranding Effort

Several emerging threat groups no longer appear distinct threats. Many of them work together to form new syndicates to carry out successful attacks, making it increasingly difficult for cybersecurity experts to mitigate the threat at an early stage. The Black Basta ransomware group also seems to be treading a similar path as noticed by several researchers.

QBot: The Black Basta ransomware group has joined hands with QBot to gain initial access to corporate environments. QBot is known for stealing Windows domain and bank credentials and dropping additional payloads. During a recent incident response, the Black Basta gang was observed using Qbot to spread laterally throughout the network, according to researchers. The threat actor's primary method for maintaining their presence on the network was Qbot. Once set up, QBot infects network shares and drives, brute-force AD accounts, or uses the SMB to create copies of itself or spread via default admin shares using current user credentials.

Conti: After closely monitoring Black Basta ransomware, a few researchers have asserted, with moderate confidence, that it could be a rebrand of Conti. Black Basta was found to share multiple similarities with the Conti group - from leak sites and payment sites to victim recovery portals. The temporary closure of Conti, followed by the near-immediate emergence of Black Basta, which uses similar tactics, further fuels the speculation of the two groups being closely related or run by the same members.

Moreover, Conti Ransomware activities have increased off-late, despite researchers recently exposing cybercriminals' operations. Conti, on the other hand, continues to deny that they rebranded as Black Basta and labeled the group "kids."

Prevention and Mitigation

With the speed with which Black Basta Ransomware is spreading, it is highly recommended to fend off the threat at the beginning. As far as the attack goes, since phishing and social engineering as its primary methods of propagation, the user should avoid opening attachments and links in suspicious or irrelevant emails and messages, as it could lead to a system infection.

Aggregation and correlation of threat intelligence feed is the need of the hour. Do away with legacy approaches around it and adopt modern threat alerting solutions. With this, you get to aggregate custom threat intel feeds with early warning advisories on malware and vulnerabilities under exploitation, which get converted to actionable alerts for, security analysts, customers, vendors, and peers. Furthermore, security teams must also foster automation of their SecOps workflows and operationalize threat intelligence for automated detection, analysis, and response to such threats.

Conclusion

The Black Basta group's impact in such a short period of time poses a significant threat to global enterprise networks. The 'possible and likely' collaboration of Black Basta ransomware with Qbot and Conti is clearly worrisome for enterprises and organizations looking to protect their data from unauthorized attacks. While law enforcement agencies and security researchers are doing everything they can to curb ransomware activities, organizations are advised to continue following best practices to secure themselves and their businesses.