Black Basta, an emerging ransomware group first observed in April 2022, may be a rebranding of the Conti ransomware group, according to speculation on the dark web. Although little is known for sure, observers note similarities between the two groups’ data leak site infrastructures, payment methods and communication styles. They suspect Black Basta may be run by skilled and experienced ransomware operators. In addition, recently leaked Conti chats indicate Conti operatives may be trying to elude law enforcement by rebranding and working under a new ransomware group.
Impact
Black Basta ransomware slows down machine processes and ultimately makes desktop files unusable before dropping a ransom note. The latest known victims include a German manufacturer of high-quality products for the automotive industry, a California electronics company and an Alabama wholesale tire and battery service.
DXC perspective
A secured infrastructure coupled with a robust cyber defense program that includes regular employee training can help protect your environment from ransomware.
Threat hunting tips
Black Basta’s data leak site can be found at the following Tor address:
stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd[.]onion/
Observed Black Basta TTPs
Attack vectors:
- Insecure and vulnerable remote desktop protocol (RDP) configuration
- Phishing campaigns
- Malicious downloads
- Web injections
- Repackaged or infected installers
Compromised machine behavior:
Black Basta slows down machine processes through prolific access to files and threads.
It has also been observed accessing registry keys, initiating file mapping and querying computer information.
Once the encryption process is complete, the malware changes the wallpaper, and files on the desktop become encrypted and unusable.
The ransomware appends encrypted files with .basta and drops a ransom note titled “readme.txt” within directories on the C:\ drive, including the following directories:
● Program data
● Perflogs
● Python27
● PDFStreamDumper
● Desktop
Black Basta also bypasses the following directories:
● Program files
● Program files (x86)
● Windows
Final malware steps
The ransomware deletes its shadow copies and disables Windows repair and recovery functions to prevent repairing malware damage.
In the ransom note, operators write that data has been “stolen and encrypted,” and that the victim should contact operators to “decrypt one file for free” by going to the following Tor address:
hxxps://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd[.]onion:80/
Upon going to the Tor address, the user is instructed to document the “company id” provided in the ransom note and pass a captcha request to initiate dialogue with Black Basta ransomware operators.
VTI intel
File: sample.bin
MD5 | 998022b70d83c6de68e5bdf94e0f8d71 |
SHA-1 | b87a947f3e85701fcdadd733e9b055a65a3b1308 |
SHA-256 | 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a |
Vhash | 055056655d15556028z74hz13z1fz |
Authentihash | 8f2cc86c7ca47c16096020576aa705f5097307c677ab3b61c58cc3f552286e91 |
Imphash | b3794746554a5701b2de3e5ea435c59b |
Rich PE header hash | 097c3efd91e657b69051326b4792cc68 |
SSDEEP | 12288:M1DTMHixr1moQqUiXINDl/m1s6BQio67VlA:AzmoQqUiXw2s6yiVx
|
TLSH
| T19FC47C213581C43BD6A243B04DACDA95727DBC300F6206CBE3D45A6E5A7C5F27B329B6 |
File type | Win32 EXE |
Magic | PE32 executable for MS Windows (console) Intel 80386 32-bit
|
TrID | Win64 Executable (generic) (32.2%)
|
TrID | Win32 Dynamic Link Library (generic) (20.1%) |
TrID | Win16 NE executable (generic) (15.4%)
|
TrID | Win32 Executable (generic) (13.7%)
|
TrID | OS/2 Executable (generic) (6.2%) |
File size | 543.50 KB (556544 bytes) |
MITRE ATT&CK technique detection
Severity | Technique | Details |
High | Attempts to delete or modify volume shadow copies |
|
High | Attempts to modify desktop wallpaper |
|
High | Writes a potential ransom message to disk | ransom_note:C:\readme.txt
|
High | Exhibits possible ransomware file modification behavior Impact: Data Encrypted for Impact [T1486] | mass file_deletion: Appears to have deleted 209 files indicative of ransomware or wiper malware deleting files to prevent recovery |
High | Likely virus infection of existing system binary | file:c:\program files\mozilla firefox\maintenanceservice.exe file:c:\program files\mozilla firefox\firefox.exe file:c:\program files\mozilla firefox\crashreporter.exe file:c:\program files\mozilla firefox\minidump-analyzer.exe file:c:\program files\mozilla firefox\default-browser-agent.exe file:c:\program files\mozilla firefox\maintenanceservice_installer.exe |
High | Attempts to identify installed AV products by installation directory | Discovery::Software Discovery:: file:C:\ProgramData\McAfee\MCLOGS Security Software Discovery [T1518.001] file:C:\Users\All Users\McAfee\readme.txt file:C:\ProgramData\McAfee\MCLOGS\readme.txt file:C:\Users\All Users\McAfee file:C:\ProgramData\McAfee\readme.txt file:C:\ProgramData\McAfee\* file:C:\ProgramData\McAfee |
High | Uses suspicious command line tools or Windows utilities | command:C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet command:C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet command:C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet command:C:\Windows\System32\vssadmin.exe delete shadows /all /quiet |
Medium | Uses Windows utilities for basic functionality |
|