1. Home
  2. Software
  3. Black Basta

Black Basta

Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.[1][2][3][4][5][6]

ID: S1070
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, BT Security; Mathieu Hinse; Inna Danilevich, U.S. Bank
Version: 1.0
Created: 08 March 2023
Last Modified: 01 May 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Black Basta has used WMI to execute files over the network.[5]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Black Basta has established persistence by creating a new service named FAX after deleting the legitimate service by the same name.[3][6][7]
.005 伪装: Match Legitimate Name or Location

The Black Basta dropper has mimicked an application for creating USB bootable drivers.[8]
Enterprise T1112 修改注册表

Black Basta can modify the Registry to enable itself to run in safe mode and to modify the icons and file extensions for encrypted files.[3][6][7][5][2][1]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Black Basta can create a new service to establish persistence.[3][4]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Black Basta has used PowerShell scripts for discovery and to execute files over the network.[7][9][5]
.003 命令与脚本解释器: Windows Command Shell

Black Basta can use cmd.exe to enable shadow copy deletion.[2]
Enterprise T1562 .009 妨碍防御: Safe Mode Boot

Black Basta can reboot victim machines in safe mode with networking via bcdedit /set safeboot network.[3][6][7][4][1]
Enterprise T1480 .002 执行保护: Mutual Exclusion

Black Basta will check for the presence of a hard-coded mutex dsajdhas.0 before executing.[2]
Enterprise T1486 数据加密以实现影响

Black Basta can encrypt files with the ChaCha20 cypher and using a multithreaded process to increase speed.[3][10][6][5][11][2][1][9][8]
Enterprise T1083 文件和目录发现

Black Basta can enumerate specific files for encryption.[6][4][5][11][2][1][9][8]
Enterprise T1222 .002 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification

The Black Basta binary can use chmod to gain full permissions to targeted files.[11]
Enterprise T1106 本机API

Black Basta has the ability to use native APIs for numerous functions including discovery and defense evasion.[3][6][4][8]
Enterprise T1027 .001 混淆文件或信息: Binary Padding

Black Basta had added data prior to the Portable Executable (PE) header to prevent automatic scanners from identifying the payload.[8]
Enterprise T1204 .002 用户执行: Malicious File

Black Basta has been downloaded and executed from malicious Excel files.[7][9]
Enterprise T1491 .001 篡改: Internal Defacement

Black Basta has set the desktop wallpaper on victims' machines to display a ransom note.[3][10][6][7][4][5][2][1][8]
Enterprise T1082 系统信息发现

Black Basta can enumerate volumes and collect system boot configuration and CPU information.[3][6]
Enterprise T1490 系统恢复抑制

Black Basta can delete shadow copies using vssadmin.exe.[3][6][7][4][5][2][1][9][9][8]
Enterprise T1007 系统服务发现

Black Basta can check whether the service name FAX is present.[6]
Enterprise T1497 虚拟化/沙盒规避

Black Basta can make a random number of calls to the kernel32.beep function to hinder log analysis.[8]
.001 System Checks

Black Basta can check system flags and libraries, process timing, and API's to detect code emulation or sandboxing.[1][8]
Enterprise T1622 调试器规避

The Black Basta dropper can check system flags, CPU registers, CPU instructions, process timing, system libraries, and APIs to determine if a debugger is present.[8]
Enterprise T1018 远程系统发现

Black Basta can use LDAP queries to connect to AD and iterate over connected workstations.[8]
Enterprise T1553 .002 颠覆信任控制: Code Signing

The Black Basta dropper has been digitally signed with a certificate issued by Akeo Consulting for legitimate executables used for creating bootable USB drives.[8]

References

  1. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
  2. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
  3. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
  4. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.
  5. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
  6. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023.
  1. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
  2. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  3. Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023.
  4. Ballmer, D. (2022, May 6). Black Basta: Rebrand of Conti or Something New?. Retrieved March 7, 2023.
  5. Sharma, S. and Hegde, N. (2022, June 7). Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems. Retrieved March 8, 2023.