- The 70+ best Black Friday TV deals 2024: Save up to $2,000
- This AI image generator that went viral for its realistic images gets a major upgrade
- One of the best cheap Android phones I've tested is not a Motorola or Samsung
- The best VPN services for iPhone: Expert tested and reviewed
- Docker Desktop 4.36 | Docker
Examining the Black Basta Ransomware’s Infection Routine
Ransomware
We analyze the Black Basta ransomware and examine the malicious actor’s familiar infection tactics.
May 09, 2022
Read time: ( words)
Black Basta, a new ransomware gang, has swiftly risen to prominence in recent weeks after it caused massive breaches to organizations in a short span of time.
On April 20, 2022, a user named Black Basta posted on underground forums known as XSS.IS and EXPLOIT.IN to advertise that it intends to buy and monetize corporate network access credentials for a share of the profits. The advertisement also specified that it was looking for organizations based in the United States, Canada, United Kingdom, Australia, and New Zealand, which are all English-speaking countries. A report noted that malicious actors acquired stolen credentials from some darknet websites that peddle an enormous amount of exfiltrated data to the underground market.
On April 26, Twitter user PCrisk tweeted about the new Black Basta ransomware that appends the extension .basta and changes the desktop wallpaper.
This blog entry takes a closer look at the Black Basta ransomware and analyzes this newcomer’s familiar infection techniques.
The infection routine
Black Basta ransomware needs administrator rights to run. It otherwise displays a command prompt message as shown on Figure 1.
After running the ransomware as administrator, it removes shadow copies, disables Windows recovery and repair, and boots the PC in safe mode.
- C:WindowsSysNativevssadmin.exe delete shadows /all /quiet
- C:WindowsSysNativebcdedit.exe /deletevalue safeboot
- C:WindowsSysNativebcdedit /set safeboot networkChanges
It also drops the following files, which will be used later when changing the desktop wallpaper and icons for encrypted files:
- %Temp%fkdjsadasd.ico
- %Temp%dlaksjdoiwq.jpg
Before booting the infected device into safe mode, it changes the desktop wallpaper by dropping the .jpg file into the %temp% folder and creating the following registry entry:
- Key: HKCUControl PanelDesktop; Value: Wallpaper; Data:%Temp%dlaksjdoiwq.jpg;
After changing the desktop wallpaper, it then adds the following registry keys to change the icon of the encrypted files with the .basta extension:
- HKLMSOFTWAREClasses.basta
- HKLMSOFTWAREClasses.bastaDefaultIcon data: %TEMP%fkdjsadasd.ico
The ransomware proceeds to encrypt files while the device is in safe mode, appending all encrypted files with the .basta extension. The ransom note is found in all the folders the ransomware has affected.
The ransom note indicates the malicious actor’s onion site and a company ID. Despite running the same ransomware (SHA256 hash: 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa) on different virtual machines, the company ID the gang provides is the same across all devices.
Using another binary (SHA256 hash: 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a), a different company ID is shown on the ransom note. The files are likewise appended with the .basta extension.
Analyzing the infection routine
Black Basta’s recent entry to the cybercrime world suggests that information about their operations is still limited. According to a report, the gang has neither started marketing its operations nor has it begun recruitment of affiliates in underground forums. Based on advertisements they posted before the attacks, the malicious actor likely uses stolen credentials — purchased in darknet websites or underground forums — to get into an organization’s system.
We probed further and found that the company ID written in the ransom note is hardcoded in the binary file.
Black Basta attempts to delete shadow copies using vssadmin.exe and boots the device in safe mode using bcdexit.exe from different paths, specifically, %SysNative% and %System32%.
At this stage, the ransomware deletes the service named Fax, and creates a new one with the same name using the malware’s path and adds it to the registry for persistence.
It then uses ShellExecuteA to shut down and restart the victim’s machine.
Extortion phase
For a newcomer in the field, Black Basta is quite prolific for having compromised at least a dozen organizations in just a few weeks. The group’s first known attack using the Black Basta ransomware occurred in the second week of April 2022. But an earlier sample was also spotted back in February 2022 with the ransomware name “no_name_software,” which appends the extension “encrypted” to encrypted files. According to some threat researchers, it appears that Black Basta has been in development since early February 2022.
Like other enterprise-focused ransomware operations, Black Basta employs a double extortion scheme that involves exfiltrating confidential data before encryption to threaten victims with public release of the stolen data.
The gang carries out the extortion phase of its attacks on its Tor site, Basta News, which contains a list of all the victims who have not paid the ransom.
Possible relation to an APT
Security researchers exchanged speculations on Twitter that Black Basta is possibly a rebranding of the Conti ransomware operation. MalwareHunterTeam pointed out many similarities in its leak site, payment site, and negotiation style to those of Conti’s. Twitter user Arkbird echoed the same observation. Lawrence Abrams of BleepingComputer also mentioned that the malicious actors behind Black Basta seem like they are exerting a lot of effort to avoid any resemblance to their previous identity.
We have also noticed some similarities between the Black Basta and Black Matter payment sites. Like Black Matter, Black Basta implements user verification on its Tor site. However, the leak site does not implement a session key.
Insights
The malicious actors could be using a unique binary for each organization that they target. This can be seen from the ransom note that they drop, which is hardcoded in the malware itself. A ransomware typically creates a unique ID for each victim despite being infected by the same executable. Their choice of target organizations also suggests this to be the case. They buy corporate network access credentials in underground markets, which could mean that they do not distribute their malware sporadically. Instead, they use a certain kind of binary or variant for a specific organization.
Recommendations
Threat researchers suggest that the recent attacks by Black Basta can be seen as early manifestations of Conti’s rebranding efforts. True or not, organizations should keep a watchful eye against ransomware threats. An organization’s thorough assessment of its security posture and its implementation of solid cybersecurity defenses give it a better fighting chance against such threats.
To protect systems against similar attacks, organizations can establish security frameworks that allocate resources systematically for establishing a strong defense strategy against ransomware. Here are some best practices that organizations can consider:
Audit and inventory
- Take an inventory of assets and data
- Identify authorized and unauthorized devices and software
- Audit event and incident logs
Configure and monitor
- Manage hardware and software configurations
- Grant admin privileges and access only when necessary to an employee’s role
- Monitor network ports, protocols, and services
- Activate security configurations on network infrastructure devices such as firewalls and routers
- Establish a software allowlist that only executes legitimate applications
Patch and update
- Conduct regular vulnerability assessments
- Perform patching or virtual patching for operating systems and applications
- Update software and applications to their latest versions
Protect and recover
- Implement data protection, backup, and recovery measures
- Enable multifactor authentication (MFA)
Secure and defend
- Employ sandbox analysis to block malicious emails
- Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network
- Detect early signs of an attack such as the presence of suspicious tools in the system
- Use advanced detection technologies such as those powered by AI and machine learning
Train and test
- Regularly train and assess employees in security skills
- Conduct red-team exercises and penetration tests
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.
- Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools before the ransomware can do any damage.
- Trend Micro Cloud One™ – Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
- Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
- Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
Indicators of Compromise (IOCs)
SHA256 | Trend Micro Detection |
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa | Ransom.Win32.BASTACRYPT.THDBGBB |
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a | Ransom.Win32.BASTACRYPT.YXCD2 |
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e | Ransom.Win32.BASTACRYPT.THDBIBB |
17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90 | Ransom.Win32.BASTACRYPT.YXCD2 |
a54fef5fe2af58f5bd75c3af44f1fba22b721f34406c5963b19c5376ab278cd1 | Ransom.Win32.BASTACRYPT.THDBGBB |
1d040540c3c2ed8f73e04c578e7fb96d0b47d858bbb67e9b39ec2f4674b04250 | Ransom.Win32.BASTACRYPT.YXCD2 |
2967e1d97d32605fc5ace49a10828800fbbefcc1e010f6004a9c88ef3ecdad88 | Ransom.Win32.BASTACRYPT.YXCD2.note |
f088e6944b2632bb7c93fa3c7ba1707914c05c00f9491e033f78a709d65d7cff | Ransom.Win32.BASTACRYPT.YXCD2.note |
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk