Black Basta

Who Is Black Basta?

Black Basta (AKA BlackBasta) is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that first emerged in early 2022 and immediately became one of the most active RaaS threat actors in the world, racking up 19 prominent enterprise victims and more than 100 confirmed victims in its first few months of operation. Black Basta targets organizations in the US, Japan, Canada, the United Kingdom, Australia, and New Zealand in highly targeted attacks rather than employing a spray-and-pray approach. The group’s ransom tactics use a double extortion tactic, encrypting their victim’s critical data and vital servers and threatening to publish sensitive data on the group’s public leak site.

Black Basta’s core membership is thought to have spawned from the defunct Conti threat actor group due to similarities in their approach to malware development, leak sites, and communications for negotiation, payment, and data recovery. Black Basta has also been linked to the FIN7 (AKA Carbanak) threat actor through similarities in their custom Endpoint Detection and Response (EDR) evasion modules and overlapping use of IP addresses for command and control (C2) operations.

How a Black Basta Attack Works

In early campaigns, Black Basta attacks began with highly targeted spear-phishing campaigns to gain initial access. In April 2022, the group began advertising its intent to buy corporate network access and share the profits with affiliated initial access brokers (IAB). After gaining initial access, Black Basta deploys a range of second-stage tactics to acquire Windows Domain credentials and penetrate a target’s network laterally, steal sensitive data, and deploy ransomware. 

To achieve second-stage goals, Black Basta uses a diverse set of tactics, including the use of QakBot stealer (AKA QBot or Pinkslipbot), MimiKatz, and exploiting the native Windows Management Instrumentation (WMI) API for credential harvesting, then use Powershell and PsExec commands to gain access to adjacent network endpoints using the extracted credentials. Black Basta can also exploit the ZeroLogon, NoPac, and PrintNightmare vulnerabilities for local and Windows Active Domain privilege escalation. For C2 remote control of infected systems, Black Basta installs Cobalt Strike Beacons, uses SystemBC for C2 proxy, and the Rclone tool for data exfiltration.

The encryption stage of a Black Basta attack starts by disabling antivirus products, executing an encryption payload remotely via PowerShell, and deleting system shadow copies using the vssadmin.exe program. From there, Black Basta executes a custom ransomware payload that has been through at least one significant version change since it was first observed. The first version of Black Basta’s encryption module was similar to Conti ransomware. In contrast, the improved second version uses heavy obfuscation and randomized filenames to evade EDR products and has replaced its use of the GNU Multiple Precision Arithmetic Library (GMP) algorithms with the Crypto++ encryption library. The Black Basta 2.0 encryption module uses the XChaCha20 algorithm for symmetric encryption, a unique Elliptic Curve Cryptography (ECC) key pair to encrypt and prepend the symmetric key along with the ECC public key to decrypt it and with a nonce to the encrypted file data.

Black Basta has also used other distinct techniques in their attacks, such as disabling the compromised system’s DNS services to complicate the recovery process by preventing it from accessing the internet and deploying a ransomware variant that targets Linux-based VMware ESXi virtual machines (VMs). 

Signs of a Black Basta Attack

Early versions of Black Basta ransomware were easier to detect than its more evasive second iteration, which implements string obfuscation and randomized filenames to avoid static detection methods used by standard antivirus products.

Black Basta ransomware attacks append a .basta or ransom extension to encrypted files and create a ransom note “readme.txt” on the victim’s desktop that contains a link to their leak site where stolen data is published. Another way to distinguish a Black Basta attack from other ransomware attacks is by examining the beginning of each encrypted file since Black Basta uses a novel encryption scheme that prepends each file with a unique 133-byte ephemeral NIST P-521 public key followed by a 32-byte key XChaCha20, a 24-byte nonce, and a 20-byte HMAC. This is followed by a variable length null byte padding and a unique 12-byte campaign identifier before the start of encrypted file material. 

How to Prevent a Black Basta Attack

Preventing a Black Basta attack depends on implementing a comprehensive enterprise cybersecurity program that includes defensive tactics for preventing attackers from gaining initial access, implementing advanced endpoint security products, and maintaining an effective backup strategy to allow quick recovery from a successful ransomware attack.

Tactics for protecting against a Black Basta attack include:

  • Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
  • Review network security controls concerning Black Basta’s known TTP and prepare to detect known Black Basta IoC and file signatures
  • Install and configure advanced endpoint security products that monitor endpoints for suspicious activity
  • Implement modern Identity and Access Management tools
  • Implement a reliable backup strategy with well-protected offline backups and practice disaster recovery procedures to ensure target mean-time-to-recovery (MTTR) targets can be met

CylanceOPTICS Prevents Ransomware Attacks

 CylanceOPTICS® provides on-device threat detection and remediation using artificial intelligence (AI) to prevent security incidents with root cause analysis, smart threat hunting, and automated detection and response capabilities. Our Endpoint Detection and Response (EDR) approach effectively eliminates response latency. It can be the difference between a minor security incident and a widespread, uncontrolled event.