Cybereason vs. Black Basta Ransomware

The Black Basta ransomware is a new strain of ransomware discovered in April of 2022. Although active for just two months, the group already rose to prominence claiming attribution of nearly 50 victims as of the publication of this report. 

Even though it first emerged in April, Black Basta operations started back in February of 2022, according to some evidence of compilation time and pivoting of the associated files. Back then, the ransomware had no name (to be precise, “no_name_software“), which suggested that it was still in development. 

Later, in April, the operators started using the ransomware to target victims. The timing was no coincidence: On April 20, 2022, a user named BlackBasta posted on the underground forums XSS[.]IS and EXPLOIT[.]IN a post intended to buy and monetize corporate network access for a share of the profits. 

The post, written in Russian, also specified that they were looking for organizations based in the United States, Canada, United Kingdom, Australia, and New Zealand, which suggests that the group targets specifically English-speaking countries:

image4-Jun-22-2022-07-15-06-62-PMBlackBasta post on hacking forums

 

Cybereason Detects and Blocks Black Basta ransomware

Key Details

  • Prominent Threat: In just two months, the Black Basta gang has added nearly 50 victims to their list as of the publishing of this report, making them one of the most prominent ransomware recently.
  • Targets VMware ESXi: Black Basta’s Linux variant targets VMware ESXi virtual machines (VMs) running on enterprise Linux servers.
  • High Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of the attacks.
  • Targeting English-Speaking countries: Black Basta specifically targets the following countries: United States, Canada, United Kingdom, Australia, and New Zealand.
  • Targeting Wide Range of Industries: Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers and more.
  • Human Operated Attack: Prior to the deployment of the ransomware, the attackers attempt to infiltrate and move laterally throughout the organization, carrying out a fully-developed RansomOps attack.
  • Detected and Prevented: The AI-Driven Cybereason Defense Platform fully detects and prevents the Black Basta ransomware. 

Similar to other ransomware operations that have emerged over the past years, the Black Basta gang follows the growing trend of double extortion. They steal sensitive files and information from their victims and later use it to extort the victims by threatening to publish the data unless the ransom is paid.

While the ransom demand is likely to vary among victims, according to reports, the group was seen demanding millions of dollars as a ransom fee:

image14-Jun-22-2022-07-16-09-83-PMBasta News website

image11-Jun-22-2022-07-16-40-69-PMBlack Basta chat

Black Basta Ransomware Attack Breakdown

Early in June, it was reported that the Black Basta ransomware gang has partnered with the QBot malware operation to spread their ransomware. This is, of course, not the first time that a ransomware gang partnered with QBot to use it as their main distributor. 

Many of the “big players” in the ransomware field have done it before, including MegaCortex, ProLock, DoppelPaymer, Conti and Egregor. These partnerships have proven themselves in the past, and Black Basta, most likely as a step to follow the big players' lead, has decided to do the same.

The use of QBot saves time for ransomware operators. QBot has many built-in capabilities that are very useful for attackers. Some of them used to perform reconnaissance, collect data and credentials, move laterally, and download and execute payloads. 

After harvesting credentials and understanding the network architecture, the attacker targets the Domain Controller, and moves laterally using PsExec. Once compromised successfully, the attackers “prepare the ground” and undertake a final procedure meant to avoid detection and prevention.

The attacker creates, on the compromised DCs, a Group Policy Object (GPO) to disable Windows Defender and tries to take down any anti-virus products. Interesting to note that this technique was also observed in the QBot-Egregor attack in the past.

The final stage of the attack is to deploy the ransomware to the targeted endpoints. To do so, the attacker uses an encoded PowerShell command that leverages WMI to push out the ransomware binary to the IP addresses contained within the a file that was created earlier in the attack, C:\Windows\pc_list.txt.

Black Basta Ransomware

The Black Basta ransomware is the final payload in the attack. It is designed, as most ransomware, to encrypt the files on the machine, and leave a ransom note to the user.

Once executed, the ransomware deletes the virtual shadow copies of the system using vssadmin.exe, a command-line tool that manages Volume Shadow Copy Service (VSS), which captures and copies stable images for backup on running systems.

Ransomware commonly uses vssadmin.exe to delete shadow copies and other backups of files before encrypting the files themselves. This is another way to ensure that the victim will be forced to pay to decrypt the valuable files when they can neither be decrypted or retrieved from VSS:

image7-Jun-22-2022-07-17-23-73-PMBlack Basta execution as shown in the Cybereason Defense Platform

The ransomware drops two files into %TEMP%: one is the icon for the encrypted files (named “fkdjsadasd.ico”) and the other is a .jpg file that will be used as a background image (named “dlaksjdoiwq.jpg”):

image16-Jun-22-2022-07-17-57-51-PMFiled dropped in %TEMP% folder by Black Basta

When the ransomware starts its encryption routine, it first changes the background image of the desktop, and simultaneously goes through the files and encrypts them.

The extension “.basta” is added to the encrypted files, and in each folder the malware drops the ransom note named “readme.txt”. The ransom note is customized to the victim and contains a unique id for the victim to use in the negotiation chat:

image2-Jun-22-2022-07-18-30-87-PMBlack Basta wallpaper

image13-Jun-22-2022-07-18-58-38-PMEncrypted files and ransom note

Linux Version

In early June, Black Basta added support for encrypting VMware ESXi virtual machines (VMs) running on enterprise Linux servers. This tactic gains popularity among different ransomware gangs, since it aligns with their enterprise targeting, and it also makes it possible to take advantage of faster encryption of multiple servers with a single command. Among those gangs are: LockBit, Hive, and Cheerscrypt.

Once executed, Black Basta looks for /vmfs/volumes, and If the path doesn’t exist, the ransomware will throw an “error” - “Path not exists in this system” and exits:

image12-Jun-22-2022-07-19-39-41-PMError message created by Black Basta

The Linux version, besides the fact that it is ESXi-centric, shares many similarities with the Windows variant. Both variants displays the same message during encryption: “Done time: %.4f seconds, encrypted: %.4f gb”:

image15-Jun-22-2022-07-20-33-05-PMSimilarity between variants - “Done Time” massage

Both variants also shares the same unique strings found in Black Basta: “ERRRRRRRROr” and “Error 755”:

image1-Jun-22-2022-07-21-22-00-PMSimilarity between variants - “ERRRRRRRROr” unique string

Both variants ransom notes (readme.txt) are the same:

image3-Jun-22-2022-07-21-48-46-PMSimilarity between variants - ransom note

Conti Relations?

Not much is known about the new Black Basta gang, as they have not begun marketing their operation or recruiting affiliates on hacking forums. However, due to their ability to quickly amass new victims, different researchers believe that it’s not their first time.

Different speculations were raised about the group, including that they are associated with the infamous Conti gang, which was later refuted by the Conti gang:

image10-Jun-22-2022-07-22-24-71-PMConti gang declines they are associated with Black Basta

It is pretty clear that the Black Basta gang knows what they are doing, and they want to play in the “big league” of ransomware, the same league as Conti, Ryuk, REvil, BlackMatter and others. This may be perhaps the reason behind the speculation around being a rebrand of another ransomware

Although it may be true but not proven yet, it is also reasonable to believe that they were inspired by the “successful” ransomware groups, specifically Conti, and try to follow their way. Different researchers also mentioned that there are many similarities between the two, including the appearance of the leak Tor site, the ransom note, the payment site and behavior of the support team.

Cybereason Detection and Prevention

The AI-driven Cybereason Defense Platform is able to prevent the execution of the Black Basta ransomware using multi-layer protection that detects and blocks malware with threat intelligence, machine learning, and next-gen antivirus (NGAV) capabilities. Additionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to detect and prevent any attempt to encrypt files and generate a MalOpTM for it:

image5-Jun-22-2022-07-22-51-22-PMDetection for Black Basta ransomware as shown in the Cybereason Defense Platform

Using the Anti-Malware feature with the right configurations (listed in the recommendations below), the Cybereason Defense Platform will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted files. The prevention is based on machine learning, which blocks both known and unknown malware variants:

image9-Jun-22-2022-07-23-26-26-PMCybereason user notification for prevention of the Black Basta ransomware

Security Recommendations

  • Enable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware protection mode to Prevent - more information for Cybereason customers can be found here
  • Enable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent and set the detection mode to Moderate and above - more information for Cybereason customers can be found here
  • Keep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities
  • Regularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to regain access to your data
  • Use Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and mail filtering

Indicators of Compromise

LOOKING FOR THE IOCs? CLICK ON THE CHATBOT DISPLAYED IN LOWER-RIGHT OF YOUR SCREEN FOR ACCESS or contact us for more information.

MITRE ATT&CK TECHNIQUES

Initial Access

Lateral Movement

Execution

Credential Access

Discovery

Collection

Impact

Phishing

Taint Shared Content

Command and Scripting Interpreter: PowerShell

Credentials from Password Stores

Account Discovery

Data from Local System

Data Encrypted for Impact

Valid Accounts

Remote File Copy

Scheduled Task/Job

 

System Information Discovery

 

Inhibit System Recovery

 

 

Windows Management Instrumentation

 

File and Directory Discovery

   
 

 

User Execution

 

System Location Discovery

   

 

About the Researcher:

image8-Jun-22-2022-07-24-57-63-PMLIOR ROCHBERGER, SENIOR THREAT RESEARCHER AND THREAT HUNTER, CYBEREASON

As part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse engineering and malware analysis teams. Lior has also been a contributing researcher to multiple threat and malware blogs including Bitbucket, Valak, Ramnit, and Racoon stealer. Prior to Cybereason, Lior led SOC operations within the Israeli Air Force.

Black Basta Ransomware Indicators of Compromise (IOCs)

IOC

Type

Description

7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a

17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90

5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa

ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e

5b6c3d277711d9f847be59b16fd08390fc07d3b27c7c6804e2170f456e9f1173

c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7

3eb22320da23748f76f2ce56f6f627e4255bc81d09ffb3a011ab067924d8013b

1d040540c3c2ed8f73e04c578e7fb96d0b47d858bbb67e9b39ec2f4674b04250

a54fef5fe2af58f5bd75c3af44f1fba22b721f34406c5963b19c5376ab278cd1

c4fa34414fb1c199e13d7cd7def0e8f401c9649657a39224bc32310c9fd9d725

f132ffc8648d38833244e612c58224285e85e863a35c872490690217c082e59c

c5fcd0643823082941bc827613baf0fa574ffd9cb03a8b265d62d657367b2ea2

19c2710e498d55f2e3a3d4126064e960058e32c99dc35944b3fc09aa0eec4754

daa049b15bb5c1d0aef06276f9940d2fea76242f1a01ebfe299a63b7c74f7ea0

SHA256

Windows variant

0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef

96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be

SHA256

Linux variant

https://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd[.]onion

URL

TOR leak website

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd[.]nion

URL

TOR Chat

Cybereason Nocturnus
About the Author

Cybereason Nocturnus

The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.

All Posts by Cybereason Nocturnus