Black Basta, an emerging ransomware group first observed in April 2022, may be a rebranding of the Conti ransomware group, according to speculation on the dark web. Although little is known for sure, observers note similarities between the two groups’ data leak site infrastructures, payment methods and communication styles. They suspect Black Basta may be run by skilled and experienced ransomware operators. In addition, recently leaked Conti chats indicate Conti operatives may be trying to elude law enforcement by rebranding and working under a new ransomware group.

Impact

Black Basta ransomware slows down machine processes and ultimately makes desktop files unusable before dropping a ransom note. The latest known victims include a German manufacturer of high-quality products for the automotive industry, a California electronics company and an Alabama wholesale tire and battery service.

DXC perspective

A secured infrastructure coupled with a robust cyber defense program that includes regular employee training can help protect your environment from ransomware.

 

Threat hunting tips

Black Basta’s data leak site can be found at the following Tor address:

stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd[.]onion/

Observed Black Basta TTPs

Attack vectors:

  • Insecure and vulnerable remote desktop protocol (RDP) configuration
  • Phishing campaigns
  • Malicious downloads
  • Web injections
  • Repackaged or infected installers

Compromised machine behavior:

Black Basta slows down machine processes through prolific access to files and threads.

It has also been observed accessing registry keys, initiating file mapping and querying computer information.

Once the encryption process is complete, the malware changes the wallpaper, and files on the desktop become encrypted and unusable.

 

The ransomware appends encrypted files with .basta and drops a ransom note titled “readme.txt” within directories on the C:\ drive, including the following directories:

●       Program data

●       Perflogs

●       Python27

●       PDFStreamDumper

●       Desktop

Black Basta also bypasses the following directories:

●       Program files

●       Program files (x86)

●       Windows

Final malware steps

The ransomware deletes its shadow copies and disables Windows repair and recovery functions to prevent repairing malware damage.

In the ransom note, operators write that data has been “stolen and encrypted,” and that the victim should contact operators to “decrypt one file for free” by going to the following Tor address:

hxxps://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd[.]onion:80/


Upon going to the Tor address, the user is instructed to document the “company id” provided in the ransom note and pass a captcha request to initiate dialogue with Black Basta ransomware operators.

VTI intel

File: sample.bin

MD5

998022b70d83c6de68e5bdf94e0f8d71

SHA-1

b87a947f3e85701fcdadd733e9b055a65a3b1308

SHA-256

7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a

Vhash

055056655d15556028z74hz13z1fz

Authentihash

8f2cc86c7ca47c16096020576aa705f5097307c677ab3b61c58cc3f552286e91

Imphash

b3794746554a5701b2de3e5ea435c59b

Rich PE header hash

097c3efd91e657b69051326b4792cc68

SSDEEP

12288:M1DTMHixr1moQqUiXINDl/m1s6BQio67VlA:AzmoQqUiXw2s6yiVx

 

TLSH  

 

T19FC47C213581C43BD6A243B04DACDA95727DBC300F6206CBE3D45A6E5A7C5F27B329B6

File type

Win32 EXE

Magic

PE32 executable for MS Windows (console) Intel 80386 32-bit

 

TrID

Win64 Executable (generic) (32.2%)

 

TrID

Win32 Dynamic Link Library (generic) (20.1%)

TrID

Win16 NE executable (generic) (15.4%)

 

TrID    

Win32 Executable (generic) (13.7%)

 

TrID

OS/2 Executable (generic) (6.2%)

File size

543.50 KB (556544 bytes)

 

MITRE ATT&CK technique detection

Severity

Technique

Details

High

Attempts to delete or modify volume shadow copies

 

High

Attempts to modify desktop wallpaper

 

High

Writes a potential ransom message to disk

ransom_note:C:\readme.txt

 

High

Exhibits possible ransomware file modification behavior

Impact: Data Encrypted for Impact [T1486]

mass file_deletion: Appears to have deleted 209 files indicative of ransomware or wiper malware deleting files to prevent recovery 

High

Likely virus infection of existing system binary

file:c:\program files\mozilla firefox\maintenanceservice.exe

file:c:\program files\mozilla firefox\firefox.exe

file:c:\program files\mozilla firefox\crashreporter.exe

file:c:\program files\mozilla firefox\minidump-analyzer.exe

file:c:\program files\mozilla firefox\default-browser-agent.exe

file:c:\program files\mozilla firefox\maintenanceservice_installer.exe

High

Attempts to identify installed AV products by installation directory

Discovery::Software Discovery:: file:C:\ProgramData\McAfee\MCLOGS

Security Software Discovery [T1518.001] file:C:\Users\All Users\McAfee\readme.txt

file:C:\ProgramData\McAfee\MCLOGS\readme.txt

file:C:\Users\All Users\McAfee

file:C:\ProgramData\McAfee\readme.txt

file:C:\ProgramData\McAfee\*

file:C:\ProgramData\McAfee

High

Uses suspicious command line tools or Windows utilities

command:C:\Windows\system32\cmd.exe /c

C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet

command:C:\Windows\system32\cmd.exe /c

C:\Windows\System32\vssadmin.exe delete shadows /all /quiet

command:C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet

command:C:\Windows\System32\vssadmin.exe delete shadows /all /quiet

Medium

Uses Windows utilities for basic functionality