New ransomware variant targeting high-value organizations
A new ransomware group has emerged and has been highly active since April 2022, targeting multiple high-value organizations. Among other notable attacks, the Black Basta gang is also responsible for a data leak targeting a popular Dental Association. The gang extracted around 2.8 GB of data in this attack.
The ransomware appends extension .basta at the end of encrypted files. Cyble Research Labs identified a total of 18 global victims of the Black Basta ransomware, with the largest number of victims based in the US. The following image shows the victims based on country.
We have prepared a breakdown of the industries targeted by the Black Basta ransomware in the figure below. As we can see, the ransomware gang primarily targets the construction and manufacturing industries.
The ransomware is a console-based executable and can only be executed with administrator privileges. The static file information of the Black Basta ransomware is shown below.
After execution, the ransomware deletes shadow copies from the infected system using vssadmin.exe. This action removes the Windows backup so that after encryption victim cannot revert the system to its previous state. The figure below shows the command in the ransomware binary.
Then ransomware drops two image files into the temp folder of the infected system, as shown in the figure below.
The ransomware then changes the desktop background wallpaper using the API systemparametersinfoW(). The file ‘dlaksjdoiwq.jpg’ is used as the desktop background wallpaper by the ransomware.
The second file, ‘fkdjsadasd.ico,’ is used as a file icon for encrypted files with a .basta extension. Black Basta Ransomware achieves this by creating a registry key, as shown below.
After creating the registry entry, the ransomware hijacks the FAX service. It initially checks whether the service name FAX is present in the system. If present, it deletes the original and creates a new malicious service named ‘FAX.’ The figure below shows the code snippets for the service hijack.
The screenshot below compares the malicious and genuine Windows FAX services.
The ransomware then checks the boot options using GetSystemMetrics() API and then adds HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Fax entry in the registry to start the FAX service in safe mode. After completing all the customizations, the ransomware sets up the operating system to boot in safe mode using bcedit.exe, as shown in the figure below.
After performing system changes, the ransomware reboots the system using the ShellExecuteA() API, as shown in Figure 9.
After rebooting, the FAX service launches and then initiates encryption and other ransomware processes.
The ransomware finds system volumes for file encryption using FindFirstVolumeW() and FindNextVolumeW() APIs and drops a readme.txt in any directories that it encounters. The figure below shows the APIs.
The ransomware excludes the following list of files and folders from the encryption:
- Local Settings
- Application Data
Finally, the ransomware finds the files in the victims’ machine using the FindFirstFileW() and FindNextFileW() APIs and encrypts them. The ransomware uses a multithreading approach for faster file encryption.
The figure below shows the infected system in safe mode and the encrypted files.
The following image shows the screenshot of the ransom note dropped by the ransomware.
After completing these operations, the ransomware reboots in normal mode, as shown in the figure below.
Possible Re-brand of Conti Ransomware:
The Threat Actors behind the ransomware share similarities with the Conti ransomware gang. Researchers attribute the Black Basta ransomware to the TA behind Conti Ransomware based on the victim data leak site. The below image shows the leak site of the Conti ransomware gang.
Black Basta ransomware data leak site.
Additionally, Conti and Black Basta ransomware have the same victim recovery portals as well, as shown below.
With law enforcement agencies worldwide actively targeting ransomware gangs, ransomware gang operators are also evolving their TTPs to target new organizations. The Black Basta ransomware has multiple similarities with the Conti ransomware group, indicating a possible connection between the Threat Actors.
Organizations and individuals should thus continue to follow industry best cybersecurity practices to secure themselves and their firms.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Execution||T1059||Command and Scripting Interpreter|
Obfuscated Files or Information
Impair Defences: Disable or Modify Tools
|System Information Discovery|
File and Directory Discovery
|Inhibit System Recovery |
Data Encrypted for Impact
Indicators of Compromise (IoCs):
|3f400f30415941348af21d515a2fc6a3 bd0bf9c987288ca434221d7d81c54a47e913600a 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa||Md5 SHA-1 SHA-256||eyqvn14ce.dll (Ransomware executable)|