Insights, news, education and announcements from PolySwarm

Black Basta Targeting Critical Infrastructure

Written by The Hivemind | May 17, 2024 6:19:41 PM

Related Families: Qakbot
Verticals Targeted: Critical Infrastructure, Healthcare

Executive Summary

CISA recently issued an advisory warning critical infrastructure entities to harden their defenses against attacks from Black Basta.

Key Takeaways

  • CISA recently issued an advisory warning critical infrastructure entities to harden their defenses against attacks from Black Basta.
  • Black Basta has targeted at least 12 of the 16 critical infrastructure sectors, including the Healthcare and Public Health sector. 
  • Black Basta ransomware is considered dangerous based on the rapid rate of successful attacks and its destructive potential. 
  • As of May 2024, Black Basta has claimed over 500 victims. 

A Cause for Alert

CISA recently issued an advisory warning critical infrastructure entities to harden their defenses against attacks from Black Basta. CISA stated Black Basta has targeted at least 12 of the 16 critical infrastructure sectors, including the Healthcare and Public Health sector.

The other critical infrastructure sectors impacted by this activity were not specified. However, we have provided a list of all sixteen critical infrastructure sectors below for reference:

  • Chemical
  • Commercial Facilities
  • Communications
  • Critical Manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial
  • Food and Agriculture
  • Government Facilities 
  • Healthcare and Public Health
  • IT
  • Nuclear 
  • Transportation
  • Water and Wastewater Systems

What is Black Basta?

Black Basta ransomware, first identified in April 2022, has been on PolySwarm’s radar since it was first reported. We featured Black Basta as a malware family to watch in 2023 and again in our 2023 Recap - Malware Hall of Fame.

Although industry researchers discovered Black Basta in April 2022, based on compile dates, the ransomware may have been active as early as February 2022. Both Windows and Linux variants exist. Written in C++. BlackBasta’s encryption scheme uses ChaCha20 and RSA-4096. To make the encryption process more efficient, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted parts.

For initial access, Black Basta threat actors typically use spearphishing or Qakbot. CISA noted in February 2024, Black Basta threat actors started using CVE-2024-1709, a ConnectWise vulnerability, for initial access. At times, the threat actors have also used valid credentials, likely obtained through an initial access broker or from prior targeting.

Black Basta uses a variety of tools for network scanning, remote access, and lateral movement, including SoftPerfect, BITSAdmin, PsExec, RDP, Splashtop, Screen Connect, and Cobalt Strike. For privilege escalation, Black Basta uses Mimikatz. They have also been observed leveraging multiple CVEs including ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare (CVE-2021-34527) for privilege escalation.

Black Basta typically uses a double extortion model, launching a ransomware attack and stealing sensitive data from a victim, threatening to sell or release it if the victim does not pay the ransom. Black Basta has targeted multiple verticals in the past, including manufacturing, construction, transportation, telecommunications, pharmaceuticals, cosmetics, plumbing and heating, automotive, clothing, and others.

Black Basta has proven to be an effective and profitable RaaS. Industry researchers estimated the group made over $100 million USD in its first two years of activity. Additionally, it continues to be one of the most active ransomware families. Black Basta ransomware is considered dangerous based on the rapid rate of successful attacks and its destructive potential. As of May 2024, Black Basta has claimed over 500 victims. 

IOCs

PolySwarm actively tracks Black Basta. A selection of some of our most recent Black Basta samples is provided below. Black Basta is also currently featured on our portal as an Emerging Threat. 

 

69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944

0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e

38a5659c98ca7353b656e3542ec336a1e7ecab71febd35491344aca304275a0e

ebbd88b3ba1b0750cd8f0326dbabd94ed97cccd83baed2121e6ceaefa7f7eb1b

c61a3b75e95ea37acb0d7653126ce080c807caf182c5002d2a2185e87f533dd6

645a18f737bd6d810a48c4a47ace62c196eb1ef285f8ca9bea6218b312fff16e

2bd509669c694baeb1234cc20b362e3b9a5d7619e200d949a0c9fd425e206ef3

252968fd0fd5d2ab59ce391f4fccb031e3da691667165ef5f5002f007106a9fc

55864f80ff6cd650dbdec3087a877f2198a7c48188456c0c81b53707cabaad6a

660ff544cb4ffa2d32b0b8eb8c2d6945dd465b6b46aa55b0b4a042bf9a86ab1c

 

You can use the following CLI command to search for all Black Basta samples in our portal:

$ polyswarm link list -f Black Basta

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.