#StopRansomware: Black Basta

Breached Company

Breached Company

5 min read
#StopRansomware: Black Basta

Here's a technical brief on the Black Basta ransomware group, compiled from the sources:

Overview Black Basta is a ransomware-as-a-service (RaaS) variant first identified in April 2022. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally, including at least 12 out of 16 critical infrastructure sectors, such as the Healthcare and Public Health (HPH) Sector. It is known that Black Basta evolved from the CONTI ransomware group.

Tactics, Techniques, and Procedures (TTPs)

  • Initial Access:
    • Spearphishing is a primary method for gaining initial access.
    • Email Bombing: Black Basta affiliates send a large volume of spam emails to aid social engineering over Microsoft Teams.
    • Exploiting Known Vulnerabilities: Black Basta affiliates exploit vulnerabilities such as ConnectWise vulnerability CVE-2024-1709.
    • Abusing Valid Credentials: In some instances, Black Basta affiliates have been observed abusing valid credentials.
  • Discovery and Execution:
    • Network Scanning: Black Basta affiliates use tools such as SoftPerfect network scanner ( netscan.exe ) to conduct network scanning.
    • Reconnaissance: Black Basta affiliates conduct reconnaissance using utilities with innocuous file names such as Intel or Dell , left in the root drive C:\ .
  • Privilege Escalation:
    • Credential Scraping: Black Basta affiliates use credential scraping tools like Mimikatz for privilege escalation.
    • Exploiting Vulnerabilities: Black Basta affiliates exploit ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare (CVE-2021-34527) vulnerabilities for local and Windows Active Domain privilege escalation.
  • Lateral Movement:
    • Tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol (RDP), are used for lateral movement.
    • Some affiliates also use tools like Splashtop, Screen Connect, and Cobalt Strike beacons to assist with remote access and lateral movement.
  • Exfiltration and Encryption:
    • Data Exfiltration: Black Basta affiliates use RClone to facilitate data exfiltration prior to encryption.
    • Disabling Defenses: Prior to exfiltration, Black Basta affiliates have been observed using PowerShell to disable antivirus products, and in some instances, deploying a tool called Backstab, designed to disable endpoint detection and response (EDR) tooling.
    • Encryption: Once antivirus programs are terminated, a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files.
    • A .basta or otherwise random file extension is added to file names, and a ransom note titled readme.txt is left on the compromised system.
    • Inhibit System Recovery: Affiliates use the vssadmin.exe program to delete volume shadow copies.
blackbasta
blackbasta.pdf
2 MB
download-circle
  • Double Extortion: Black Basta affiliates employ a double-extortion model, both encrypting systems and exfiltrating data.
  • Ransom Notes: Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instruct them to contact the ransomware group via a .onion URL (reachable through the Tor browser).
  • Payment Deadline: Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.

Tools Leveraged Black Basta affiliates use publicly available tools and applications, including legitimate tools repurposed for their operations.

  • AnyDesk
  • Microsoft Teams
  • Microsoft Quick Assist
  • BITSAdmin
  • Cobalt Strike
  • Mimikatz
  • PSExec
  • PowerShell
  • RClone
  • SoftPerfect
  • ScreenConnect
  • Splashtop
  • WinSCP
  • Mega.io
  • File transfer services
  • Temp.sh
  • Transfer.sh
  • Backstab
  • EventLogCrasher
  • Netcat
  • Proxychains
  • PDQ Deploy
aa24-131a-joint-csa-stopransomware-black-basta_3
aa24-131a-joint-csa-stopransomware-black-basta_3.pdf
587 KB
download-circle

MITRE ATT&CK Techniques Black Basta affiliates employ various MITRE ATT&CK techniques.

  • Initial Access
    • Phishing
    • Spearphishing Voice
    • Exploit Public-Facing Application
  • Privilege Escalation
    • Exploitation for Privilege Escalation
  • Defense Evasion
    • Masquerading
    • Impair Defenses: Disable or Modify Tools
  • Execution
    • User Execution
    • Command and Scripting Interpreter: PowerShell
  • Impact
    • Inhibit System Recovery
    • Data Encrypted for Impact

Vulnerabilities Black Basta affiliates exploit a range of known vulnerabilities.

  • The group has discussed exploiting 62 CVEs in their internal chats.
  • 53 are known to have been actively exploited.
  • 44 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
  • 55 CVEs had publicly available proof-of-concept (POC) exploits, making them easier to weaponize.
  • Top Vulnerabilities Exploited:
    • Microsoft Exchange (e.g., ProxyShell and ProxyNotShell vulnerabilities like CVE-2021-34473 and CVE-2022-41040).
    • Fortinet FortiOS (e.g., CVE-2022-40684).
    • Palo Alto PAN-OS (e.g., CVE-2021-3064, CVE-2024-3400).
    • Citrix ADC/Gateway (e.g., CVE-2019-19781).
    • VMware ESXi (e.g., CVE-2021-21974).
    • Fortinet's FortiOS software (CVE-2024-21762).

Targeted Industries Black Basta strategically targets industries where they can maximize financial gain. The group has impacted at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.

  • Healthcare and Pharmaceuticals
  • Manufacturing
  • Finance and Banking
  • Education
  • Government Agencies

Geographic Focus The group primarily targets organizations in economically advanced countries.

  • United States
  • United Kingdom
  • Canada
  • Australia
  • Germany

Mitigations The authoring organizations recommend all critical infrastructure organizations implement the mitigations below to improve an organization’s cybersecurity posture based on Black Basta’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).

  • Install updates for operating systems, software, and firmware as soon as they are released.
  • Require phishing-resistant multi-factor authentication (MFA) for as many services as possible.
  • Train users to recognize and report phishing attempts.
  • Secure remote access software by applying mitigations from joint Guide to Securing Remote Access Software.
  • Make backups of critical systems and device configurations to enable devices to be repaired and restored.
  • Apply mitigations from the joint #StopRansomware Guide.
  • Asset Management and Security: Cybersecurity professionals should identify and understand all relationships or interdependencies, functionality of each asset, what it exposes, and what software is running to ensure critical data and systems are protected appropriately.
  • Email Security and Phishing Prevention: Organizations should install modern anti-malware software and automatically update signatures where possible.
  • Check for embedded or spoofed hyperlinks: Validate the URL of the link matches the text of the link itself.
  • Access Management: Prioritize phishing-resistant MFA on accounts with the highest risk, such as privileged administrative accounts on key assets.
  • Vulnerability Management and Assessment
    • Map assets to business-critical functions.
    • Use threat intelligence information.
  • Continually test your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

Indicators of Compromise (IOCs)

  • A downloadable list of IOCs is available:
    • AA24-131A STIX XML (NOV 2024)(XML, 19.16 KB )
    • AA24-131A STIX JSON (NOV 2024)(JSON, 15.33 KB )
    • AA24-131A STIX XML(XML, 237.45 KB )
    • AA24-131A STIX JSON(JSON, 180.78 KB )
  • Examples of IPs and Domains:
    • 45.11.181[.]44
    • 66.42.118[.]54
    • 79.132.130[.]211
    • Moereng[.]com
    • Exckicks[.]com

Reporting Victims of ransomware should report the incident to their local FBI field office or CISA. The FBI is interested in any information that can be shared.

TIMELINE OF MAIN EVENTS

  • April 2022: Black Basta ransomware is first identified as a Ransomware-as-a-Service (RaaS) variant.
  • Throughout 2022-2024: Black Basta affiliates impact a wide range of businesses and critical infrastructure sectors in North America, Europe, and Australia.
  • Late 2023: Black Basta amasses at least $107 million in ransom payments.
  • September 2023 - September 2024: Black Basta internal chats occur which span over 200,000 messages, revealing tactics, internal conflicts, and exploited vulnerabilities.
  • May 10, 2024: CISA, FBI, HHS, and MS-ISAC release initial Cybersecurity Advisory (CSA) on Black Basta.
  • As of May 2024: Black Basta affiliates have impacted over 500 organizations globally.
  • November 8, 2024: CISA, FBI, HHS, and MS-ISAC update the Cybersecurity Advisory on Black Basta to include new TTPs and IOCs.
  • Early 2025: Black Basta becomes "mostly inactive" due to internal conflicts, leadership disputes, and unpaid wages. Key members defect to rival groups like Cactus and Akira.
  • February 2025: Black Basta's internal chat logs are leaked, revealing details about the group's operations, members, and victims, as well as triggering their operational collapse.

Read more