1       Background

Black Basta is a Ransomware-as-a-Service (RaaS) group that first appeared in April 2022 and quickly gained notoriety for targeting various sectors, including construction, healthcare, manufacturing, finance, retail, and entertainment. Black Basta has reportedly compromised over 500 organisations worldwide. The group meticulously chooses its victims to maximise each attack’s impact.

2       Black Basta’s Tactics and Techniques

Black Basta employs a multi-stage attack that leverages a combination of sophisticated techniques and readily available tools to infiltrate, compromise, and extort its targets. The group is known for its use of double extortion, where they not only encrypt a victim’s data but also threaten to release sensitive information publicly if the ransom is not paid.

Here’s a breakdown of the typical attack chain:

2.1      Initial Access

Black Basta utilises various methods to gain a foothold in the target network:

1. Social Engineering: Attackers commonly use phishing emails, posing as IT helpdesk personnel, to trick employees into installing remote access tools like AnyDesk or Quick Assist.
2. Exploiting Vulnerabilities: Black Basta exploits known vulnerabilities like CVE-2024-1709 (ConnectWise) and others to gain initial access or escalate privileges within the network.
3. Insider Information and Purchased Access: The group actively seeks insiders within target organisations or purchases network access from initial access brokers (IABs) on underground forums like Exploit and XSS12.

2.2      Lateral Movement and Credential Harvesting

Once inside, the attackers move laterally to identify and compromise critical systems:

1. Malware Deployment: They deploy tools like QakBot, SystemBC, and Cobalt Strike beacons for credential theft, data exfiltration, and command and control (C2) operations.
2. Credential Dumping: Tools like Mimikatz allow attackers to extract passwords from memory.
3. Exploiting Native Windows Tools: Attackers leverage tools like PowerShell, PsExec, and WMI for executing commands and moving laterally within the compromised network.

2.3      Data Exfiltration and Encryption

Before deploying the ransomware, Black Basta prepares the target environment:

1. Disabling Security Measures: Attackers use PowerShell scripts to disable antivirus software and endpoint detection and response (EDR) systems.
2. Deleting Shadow Copies: They delete shadow copies using the vssadmin.exe tool to prevent system recovery.
3. Exfiltrating Sensitive Data: Tools like RClone and WinSCP are used to transfer stolen data to attacker-controlled servers.

2.4      Encryption and Ransom Demand

The final stage involves deploying the ransomware and demanding payment:

1. Ransomware Deployment: Black Basta’s ransomware typically uses the ChaCha20 encryption algorithm to encrypt files. Encrypted files are appended with a “.basta” extension.
2. Ransom Note: They leave a ransom note, usually named “readme.txt,” which directs victims to a .onion site for ransom negotiations. Black Basta often sets a deadline of 10-12 days for payment before publishing the stolen data on their data leak site, Basta News.

3       Black Basta’s Evolving Sophistication

Black Basta has shown a continuous evolution in its tactics and techniques:

1. Email Bombing and Vishing: The group has incorporated email DDoS (bombing) and vishing (voice phishing) tactics to overwhelm targets with spam emails and trick them into installing remote access tools.
2. Microsoft Teams Exploitation: They leverage Microsoft Teams by creating accounts posing as IT support to contact victims and deceive them into granting access.
3. Targeting Linux Systems: Black Basta has expanded its operations to target Linux-based VMware ESXi virtual machines.

4       Possible Links to Other Threat Actors

There is speculation that Black Basta may have connections to other prominent ransomware groups:

1. Conti: Similarities in tactics, techniques, and procedures (TTPs) suggest a possible link to the now-defunct Conti group.
2. FIN7: The use of a custom EDR evasion tool and overlapping C2 infrastructure points to a potential connection with the FIN7 (Carbanak) group3638.
3. Impact and Mitigation

5       Potential Business Risks

Black Basta’s attacks have had significant consequences for organisations across various areas, such as:

1. Financial Losses: Ransom payments, data recovery costs, and potential legal repercussions contribute to significant financial burdens.
2. Reputational Damage: Data leaks and public exposure of sensitive information can damage an organisation’s reputation and erode customer trust.
3. Operational Disruption: Attacks can disrupt critical business operations, leading to downtime and productivity loss.

6       Risk Mitigation

Organisations can mitigate the risk of Black Basta attacks by:

1. Implementing strong cybersecurity measures: This includes multi-factor authentication, robust firewalls, regular software updates and patching, and effective antivirus and EDR solutions.
2. Employee Training: Educating employees about phishing techniques, social engineering tactics, and best practices for handling suspicious emails is crucial.
3. Robust Backup and Disaster Recovery Plans: Regularly backing up critical data and having a well-defined disaster recovery plan in place can help minimise the impact of an attack.
4. Secure Remote Access: Ensuring that remote access protocols are secure and properly configured is essential to prevent unauthorised access.
5. Proactive Threat Hunting: Using tools like Qualys EDR and implementing threat hunting queries can help detect suspicious activities related to Black Basta and other ransomware threats.

7       Indicators of Compromise  

There is a wide array of indicators that can help identify a potential or ongoing Black Basta ransomware attack. These indicators encompass network activities, file modifications, and suspicious user behaviours.

7.1      Network-Based Indicators

1. Suspicious Domain Naming: Black Basta actors often use Microsoft Teams for social engineering. They create fake accounts with deceptive names like “Help Desk” using fraudulent Entra ID tenants1. The domain names often follow the *.onmicrosoft.com convention, with examples like cybersecurityadmin.onmicrosoft.com and supportserviceadmin.onmicrosoft.com.
2. Command and Control (C2) Communication: Monitor network traffic for communication with known Black Basta C2 domains, many of which utilize Cobalt Strike. Examples include trailshop[.]net, realbumblebee[.]net, and numerous others.
3. Specific IP Addresses: Although threat actors frequently change IP addresses, some recent ones associated with Black Basta activity include 170.130.165[.]73 (likely Cobalt Strike infrastructure), 66.42.118[.]54 (exfiltration server), and others.
4. Tor Network Usage: Black Basta uses Tor hidden services for ransom negotiations and data leak sites. Increased Tor traffic might be an indicator of compromise.

7.2      File-Based Indicators

1. File Extension Modification: Black Basta ransomware typically appends the “.basta” extension to encrypted files. However, they may also use random extensions.
2. Ransom Note Presence: Look for ransom notes, often named “readme.txt,” on the victim’s desktop. The note provides a unique code and instructions to contact the ransomware group via a .onion URL.
3. Unique Encryption Scheme: Black Basta utilizes a specific encryption scheme, prepending each file with a 133-byte ephemeral NIST P-521 public key, a 32-byte key XChaCha20, a 24-byte nonce, and a 20-byte HMAC, followed by null byte padding and a 12-byte campaign identifier.
4. YARA Rules: The sources provide YARA rules that can be used to identify Black Basta ransomware files based on specific strings and file characteristics.

7.3      Behavioural Indicators

1. Sudden Increase in Spam Emails: Black Basta may initiate an attack with email bombing to flood an employee’s inbox with spam, followed by Microsoft Teams contact under the guise of IT help desk support.
2. Requests for Remote Access: Be wary of unsolicited requests for remote access, especially from individuals claiming to be IT support staff.
3. Unexpected Software Installations: Observe for unusual software installations, particularly those disguised as anti-spam programs like AntispamConnectUS.exe.
4. Disabling of Security Software: Black Basta often attempts to disable antivirus and EDR solutions before encrypting files.
5. Deletion of Shadow Copies: Attackers use the vssadmin.exe tool to delete shadow copies to prevent system recovery.

8       Threat Hunting and Mitigation

There are several tools and techniques for hunting for Black Basta activity and mitigating its impact:

1. Qualys EDR Hunting Queries: The sources provide hunting queries specifically designed to detect suspicious activities associated with Black Basta ransomware within the Qualys EDR environment.
2. MITRE ATT&CK Mapping: The sources provide comprehensive mapping of Black Basta’s tactics and techniques to the MITRE ATT&CK framework, allowing security teams to understand the adversary’s behaviour and develop countermeasures.
3. Proactive Security Measures: Implement robust security practices, including strong passwords, multi-factor authentication, regular software updates, and effective security software.
4. Employee Awareness Training: Educate employees on phishing techniques, social engineering tactics, and best practices for secure online behaviour.

9       Conclusion

Black Basta poses a serious and evolving threat to organisations worldwide. Their use of sophisticated tactics, combined with their ability to adapt and innovate, makes them a formidable adversary. By understanding Black Basta’s methods and implementing robust security measures, organisations can reduce their risk of falling victim to their attacks.