Cybereason recently reported on Black Basta ransomware, which has claimed around 50 victims so far, making it a prominent threat.
- Black Basta ransomware, first identified in April 2022, has claimed around 50 victims and is considered a “prominent threat” by researchers at Cybereason.
- The ransomware primarily targets entities in English-speaking countries, across multiple verticals.
- Black Basta targets both Windows and VMware ESXi virtual machines running on enterprise Linux servers.
What is Black Basta?
Black Basta ransomware, first identified in April 2022, has claimed around 50 victims thus far. Based on compile dates, the ransomware may have been active as early as February 2022. The group’s first known activity was in mid-April when a user named BlackBasta posted on underground forums XSS[.]IS and EXPLOIT[.]IN. Their post, written in the Russian language, stated their intent to buy and monetize corporate network access, promising affiliates a share of the profit. The user sought access to organizations in the US, Canada, UK, Australia, and New Zealand. So far the threat actors behind Black Basta have targeted multiple verticals including manufacturing, construction, transportation, telecommunications, pharmaceuticals, cosmetics, plumbing and heating, automotive, clothing, and others.
Prior to infecting a victim with Black Basta, the threat actors attempt to infiltrate and move laterally across the network, carrying out a RansomOps attack. The threat actors harvest credentials and then target the Domain Controller, using PsExec for lateral movement. To evade detection, the threat actors create a Group Policy Object (GPO) to disable Windows Defender and attempt to disable any anti-virus products. The final stage of the attack is the deployment of Black Basta ransomware, using an encoded PowerShell command that leverages WMI to push out the ransomware binary to target machines. In early June, the threat actors behind Black Basta reportedly used QBot to spread their ransomware.
Black Basta uses vssadmin.exe to delete virtual shadow copies of the system prior to encrypting a victim’s files. The ransomware also drops two files into %TEMP%: an icon file and a JPEG file. The icon file serves as an icon for the encrypted files, while the JPEG file serves as a background image for the victim’s desktop. The desktop image or wallpaper contains a message stating: “Your network is encrypted by the Black Basta group. Instructions in the file readme.txt.” The ransomware encrypts files, appending the .basta extension, and drops a copy of the ransom note readme.txt in each folder. The ransom note is custom-tailored per victim and includes a unique identifier for the victim to use when communicating with the threat actors.
The Linux version of Black Basta was observed in early June 2022, encrypting VMware ESXi virtual machines running on enterprise Linux servers. Except for the differences in operating systems, the Linux version operates similarly to the Windows version.
The threat actors behind Black Basta use double extortion tactics, threatening to publish stolen data if the victim does not pay the ransom. Researchers at Cybereason assess Black Basta to be a “prominent threat”, based on the rapid rate of successful attacks and the ransomware’s destructive potential.
PolySwarm has multiple samples of Black Basta.
You can use the following CLI command to search for all Black Basta samples in our portal:
$ polyswarm link list -f BlackBasta
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports