After a cull that saw several high-profile ransomware gangs disbanded in late 2021 a new set of groups emerged in their place. One gang with a particularly rapid rise over the last few months in Black Basta. This article analyzes the origin of Black Basta, its ransomware operations, and its victims.
Black Basta: Operations and Ransomware Analysis
Posts made on two underground hacking forums announced the arrival of Black Basta. These posts alluded to a fee payment in addition to a profit-sharing arrangement in return for providing corporate access credentials to a forum user by the name of Black Basta.
From an operational perspective, the tactics and techniques used in Black Basta attacks are typical of prevailing ransomware trends. The first point of note is that double extortion is a feature of attacks carried out by the gang, which reflects the now default assumption that exfiltrating sensitive data and documents before encrypting either files or devices increase the chance of receiving a ransom payment from victims.
Another notable tactic is the use of QBot malware in the attacks observed so far. Qbot is a family of backdoor trojans that also have worm features, which enable the malware to self-replicate. While Qbot’s initial use was in attacks on banking systems, ransomware actors can leverage several of its features to make their work easier, including keylogging, lateral movement, and establishing persistence.
The ransomware strain eventually gets pushed out to a list of internal IP addresses on the network, most likely previously accessed using Qbot. Once the ransomware runs on a Windows endpoint system, some of the following system changes occur:
- Volume shadow copies get deleted to prevent the recovery of encrypted files.
- Windows recovery and repair features are disabled to further prevent any kind of rollback to previous uninfected system states.
- Two images get dropped into the temporary Windows folder, one of which changes the desktop background to display a message stating the computer’s files have been encrypted.
- A service hijack takes over the legitimate Windows Fax service and replaces it with a malicious one that defaults to boot in safe mode. A ShellExecute API function then forces a system restart.
- The system restarts and boots in safe mode with networking, which is when the actual encryption happens.
Multithreaded encryption locks down files rapidly with the extension .basta appended to them. The encryption algorithm used in these attacks is ChaCha20 with a public RSA-4096 key. This is a robust type of encryption that doesn’t leave open any possibility of getting files back for free by cracking the key.
Security researchers noted a further tactical evolution in Black Basta operations when they detected variants of the ransomware strain on VMWare ESXi, which is an enterprise-class hypervisor used for running virtual machines (VMs). The variant was specifically spotted on VMs running on top of Linux servers. This targeting of infrastructure often used by enterprises demonstrates the “big game” hunting tactics of Black Basta.
Notable Black Basta Victims
By the end of June 2022, Black Basta claimed 50 victims in its list of successfully compromised companies. The typical attack profile of victims displays no common trends in terms of specific sectors or industries. Construction and manufacturing companies have been hit slightly more frequently, but nothing suggests a pattern beyond focusing on organizations located in Western nations.
The American Dental Association
The biggest name hit so far by Black Basta was the 161,000-member American Dental Association (ADA). Formed as far back as 1859, the ADA is the world’s largest and oldest dental association.
In April 2022, an attack on the ADA’s IT network forced a partial shutdown and signaled Black Basta’s arrival on the ransomware scene. The company also had to temporarily use Gmail for email communications because internal email services were unavailable.
After the ADA initially downplayed the severity of the incident, Black Basta began leaking up to 2.8 gigabytes of ADA data on its dark web leak site. The data leak included W2 forms and accounting spreadsheets. Worryingly, some of the information was sensitive and related to ADA members who run small dental practices; businesses where cybersecurity awareness is often lacking.
Deutschen Windtechnik is a German renewable energy organization focusing mostly on wind turbines. In April 2022, Black Basta successfully infiltrated the company’s IT network, which led to remote data monitoring connections to wind turbines being switched off. With increased IT/OT convergence, an additional danger posed by ransomware on industrial, energy, or manufacturing businesses is a disruption or even safety risk to key operations.
On Black Basta’s leak site, a post listing Deutschen Windtechnik as a victim appeared online shortly after the attack. Each leak starts at a certain percentage, with the threat actors releasing more data as time passes and victims refuse to cave in to ransom demands. In this instance, the leak percentage for Deutschen Windtechnik reached 100%.
The Rise of Black Basta Ransomware
Claiming 36 victims within just two months of becoming operational, and at least 50 at the time of writing, it’s clear the threat actors behind Black Basta know what they’re doing. While nothing is definite about the identity of those behind Black Basta, there’s a high likelihood this is a rebrand of one or more previously disbanded ransomware gangs, such as Conti or REvil.
There is nothing yet to indicate that Black Basta is running a ransomware-as-a-service (RaaS) operation. The underground forums that typically attract RaaS gangs recruiting new affiliates haven’t yet seen any posts from Black Basta threat actors. Some potential reasons for keeping things in-house include a desire to retain all profits through highly targeted attacks on large organizations and sufficient internal technical expertise/scalability to hit targets without enlisting external affiliates. Another possibility is that Black Basta will eventually evolve into a RaaS operation.
Potential Defenses and Countermeasures
There are divisions in the security landscape on the origins of Black Basta. The professionalism and intricacy of the attacks observed so far suggest a rebranding of defunct gangs. Whatever the case, the danger is clear with Black Basta, and the victim list will only expand over the coming months. Considering the gang’s operations, here are some suggested countermeasures and defenses to have in place:
- With phishing and spear-phishing emails being a common method for persuading employees to disclose passwords for business accounts/services, use dedicated anti-phishing solutions and ongoing employee cybersecurity training and awareness.
- The use of stolen dark web credentials for initial network access in these attacks once again reinforces the importance of protecting business accounts with an extra layer of authentication (two-factor or multi-factor).
- Dark web monitoring is an option that trawls the dark web for stolen employee credentials and enables you to perform hard resets on those accounts.
- Consider getting an off-site backup solution in place so that even if the ransomware strain manages to delete connected backup options, there’s a way to recover files.
- Encrypt any sensitive data in your network even if encryption is not necessary for compliance with external regulations; if threat actors can’t read your data, double extortion isn’t effective because leaked data is encrypted.