Cybereason Blog | Cybersecurity News and Analysis

Cybereason vs. Black Basta Ransomware

Written by Cybereason Nocturnus | Jun 24, 2022 11:00:00 AM

The Black Basta ransomware is a new strain of ransomware discovered in April of 2022. Although active for just two months, the group already rose to prominence claiming attribution of nearly 50 victims as of the publication of this report. 

Even though it first emerged in April, Black Basta operations started back in February of 2022, according to some evidence of compilation time and pivoting of the associated files. Back then, the ransomware had no name (to be precise, “no_name_software“), which suggested that it was still in development. 

Later, in April, the operators started using the ransomware to target victims. The timing was no coincidence: On April 20, 2022, a user named BlackBasta posted on the underground forums XSS[.]IS and EXPLOIT[.]IN a post intended to buy and monetize corporate network access for a share of the profits. 

The post, written in Russian, also specified that they were looking for organizations based in the United States, Canada, United Kingdom, Australia, and New Zealand, which suggests that the group targets specifically English-speaking countries:

BlackBasta post on hacking forums

 

Cybereason Detects and Blocks Black Basta ransomware

Key Details

  • Prominent Threat: In just two months, the Black Basta gang has added nearly 50 victims to their list as of the publishing of this report, making them one of the most prominent ransomware recently.
  • Targets VMware ESXi: Black Basta’s Linux variant targets VMware ESXi virtual machines (VMs) running on enterprise Linux servers.
  • High Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of the attacks.
  • Targeting English-Speaking countries: Black Basta specifically targets the following countries: United States, Canada, United Kingdom, Australia, and New Zealand.
  • Targeting Wide Range of Industries: Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers and more.
  • Human Operated Attack: Prior to the deployment of the ransomware, the attackers attempt to infiltrate and move laterally throughout the organization, carrying out a fully-developed RansomOps attack.
  • Detected and Prevented: The AI-Driven Cybereason Defense Platform fully detects and prevents the Black Basta ransomware. 

Similar to other ransomware operations that have emerged over the past years, the Black Basta gang follows the growing trend of double extortion. They steal sensitive files and information from their victims and later use it to extort the victims by threatening to publish the data unless the ransom is paid.

While the ransom demand is likely to vary among victims, according to reports, the group was seen demanding millions of dollars as a ransom fee:

Basta News website

Black Basta chat

Black Basta Ransomware Attack Breakdown

Early in June, it was reported that the Black Basta ransomware gang has partnered with the QBot malware operation to spread their ransomware. This is, of course, not the first time that a ransomware gang partnered with QBot to use it as their main distributor. 

Many of the “big players” in the ransomware field have done it before, including MegaCortex, ProLock, DoppelPaymer, Conti and Egregor. These partnerships have proven themselves in the past, and Black Basta, most likely as a step to follow the big players' lead, has decided to do the same.

The use of QBot saves time for ransomware operators. QBot has many built-in capabilities that are very useful for attackers. Some of them used to perform reconnaissance, collect data and credentials, move laterally, and download and execute payloads. 

After harvesting credentials and understanding the network architecture, the attacker targets the Domain Controller, and moves laterally using PsExec. Once compromised successfully, the attackers “prepare the ground” and undertake a final procedure meant to avoid detection and prevention.

The attacker creates, on the compromised DCs, a Group Policy Object (GPO) to disable Windows Defender and tries to take down any anti-virus products. Interesting to note that this technique was also observed in the QBot-Egregor attack in the past.

The final stage of the attack is to deploy the ransomware to the targeted endpoints. To do so, the attacker uses an encoded PowerShell command that leverages WMI to push out the ransomware binary to the IP addresses contained within the a file that was created earlier in the attack, C:\Windows\pc_list.txt.

Black Basta Ransomware

The Black Basta ransomware is the final payload in the attack. It is designed, as most ransomware, to encrypt the files on the machine, and leave a ransom note to the user.

Once executed, the ransomware deletes the virtual shadow copies of the system using vssadmin.exe, a command-line tool that manages Volume Shadow Copy Service (VSS), which captures and copies stable images for backup on running systems.

Ransomware commonly uses vssadmin.exe to delete shadow copies and other backups of files before encrypting the files themselves. This is another way to ensure that the victim will be forced to pay to decrypt the valuable files when they can neither be decrypted or retrieved from VSS:

Black Basta execution as shown in the Cybereason Defense Platform

The ransomware drops two files into %TEMP%: one is the icon for the encrypted files (named “fkdjsadasd.ico”) and the other is a .jpg file that will be used as a background image (named “dlaksjdoiwq.jpg”):

Filed dropped in %TEMP% folder by Black Basta

When the ransomware starts its encryption routine, it first changes the background image of the desktop, and simultaneously goes through the files and encrypts them.

The extension “.basta” is added to the encrypted files, and in each folder the malware drops the ransom note named “readme.txt”. The ransom note is customized to the victim and contains a unique id for the victim to use in the negotiation chat:

Black Basta wallpaper

Encrypted files and ransom note

Linux Version

In early June, Black Basta added support for encrypting VMware ESXi virtual machines (VMs) running on enterprise Linux servers. This tactic gains popularity among different ransomware gangs, since it aligns with their enterprise targeting, and it also makes it possible to take advantage of faster encryption of multiple servers with a single command. Among those gangs are: LockBit, Hive, and Cheerscrypt.

Once executed, Black Basta looks for /vmfs/volumes, and If the path doesn’t exist, the ransomware will throw an “error” - “Path not exists in this system” and exits:

Error message created by Black Basta

The Linux version, besides the fact that it is ESXi-centric, shares many similarities with the Windows variant. Both variants displays the same message during encryption: “Done time: %.4f seconds, encrypted: %.4f gb”:

Similarity between variants - “Done Time” massage

Both variants also shares the same unique strings found in Black Basta: “ERRRRRRRROr” and “Error 755”:

Similarity between variants - “ERRRRRRRROr” unique string

Both variants ransom notes (readme.txt) are the same:

Similarity between variants - ransom note

Conti Relations?

Not much is known about the new Black Basta gang, as they have not begun marketing their operation or recruiting affiliates on hacking forums. However, due to their ability to quickly amass new victims, different researchers believe that it’s not their first time.

Different speculations were raised about the group, including that they are associated with the infamous Conti gang, which was later refuted by the Conti gang:

Conti gang declines they are associated with Black Basta

It is pretty clear that the Black Basta gang knows what they are doing, and they want to play in the “big league” of ransomware, the same league as Conti, Ryuk, REvil, BlackMatter and others. This may be perhaps the reason behind the speculation around being a rebrand of another ransomware

Although it may be true but not proven yet, it is also reasonable to believe that they were inspired by the “successful” ransomware groups, specifically Conti, and try to follow their way. Different researchers also mentioned that there are many similarities between the two, including the appearance of the leak Tor site, the ransom note, the payment site and behavior of the support team.

Cybereason Detection and Prevention

The AI-driven Cybereason Defense Platform is able to prevent the execution of the Black Basta ransomware using multi-layer protection that detects and blocks malware with threat intelligence, machine learning, and next-gen antivirus (NGAV) capabilities. Additionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to detect and prevent any attempt to encrypt files and generate a MalOpTM for it:

Detection for Black Basta ransomware as shown in the Cybereason Defense Platform

Using the Anti-Malware feature with the right configurations (listed in the recommendations below), the Cybereason Defense Platform will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted files. The prevention is based on machine learning, which blocks both known and unknown malware variants:

Cybereason user notification for prevention of the Black Basta ransomware

Security Recommendations

  • Enable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware protection mode to Prevent - more information for Cybereason customers can be found here
  • Enable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent and set the detection mode to Moderate and above - more information for Cybereason customers can be found here
  • Keep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities
  • Regularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to regain access to your data
  • Use Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and mail filtering

Indicators of Compromise

LOOKING FOR THE IOCs? CLICK ON THE CHATBOT DISPLAYED IN LOWER-RIGHT OF YOUR SCREEN FOR ACCESS or contact us for more information.

MITRE ATT&CK TECHNIQUES

Initial Access

Lateral Movement

Execution

Credential Access

Discovery

Collection

Impact

Phishing

Taint Shared Content

Command and Scripting Interpreter: PowerShell

Credentials from Password Stores

Account Discovery

Data from Local System

Data Encrypted for Impact

Valid Accounts

Remote File Copy

Scheduled Task/Job

 

System Information Discovery

 

Inhibit System Recovery

 

 

Windows Management Instrumentation

 

File and Directory Discovery

   
 

 

User Execution

 

System Location Discovery

   

 

About the Researcher:

LIOR ROCHBERGER, SENIOR THREAT RESEARCHER AND THREAT HUNTER, CYBEREASON

As part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse engineering and malware analysis teams. Lior has also been a contributing researcher to multiple threat and malware blogs including Bitbucket, Valak, Ramnit, and Racoon stealer. Prior to Cybereason, Lior led SOC operations within the Israeli Air Force.