{
	"id": "93b23950-d667-450f-8789-9aa1e8ea4699",
	"created_at": "2026-04-09T02:23:20.463494Z",
	"updated_at": "2026-04-10T03:21:57.597401Z",
	"deleted_at": null,
	"sha1_hash": "dfda8095b55c808f1832f85b6db4a7dec24cce2a",
	"title": "Black Basta and the Unnoticed Delivery",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 107883,
	"plain_text": "Black Basta and the Unnoticed Delivery\r\nBy hadar_cpr\r\nPublished: 2022-10-20 · Archived: 2026-04-09 02:10:44 UTC\r\nIntroduction\r\nAs reported by Check Point at the end of H1 2022, 1 out of 40 organizations worldwide were impacted by\r\nransomware attacks, which constitutes a worrying 59% increase over the past year. The ransomware business\r\ncontinues to grow in gargantuan proportions due to the lucrative payments demanded – and often received – by\r\ncybercrime gangs. With the addition of double extortion, ransomware attacks became even more appealing: even\r\nif the victim refuses to pay, the stolen private data may be sold in a Darknet forum for a considerable sum.\r\nGone are the days when cybercrime attacks were carried out by lone enthusiasts, occasionally aided by some\r\nfriends and like-minded persons. As uncovered in a recent Conti leak, the backend of a modern high-profile\r\ncybercrime operation is reminiscent of the structure of giant IT companies whose employees may be located all\r\nover the world, with dedicated roles and responsibilities. Judging by the attention to detail we observed in a\r\nrecent Black Basta incident spotted by the Check Point Incident Response Team, the operators behind this\r\nransomware also have an impressive organizational structure.\r\n*Since May 2022, there were more than 89 cases of high-profile organizations who were extorted by the Black\r\nBasta gang. Data shows the group’s clear geo-specific focus on the US and Germany; 49% of the victims listed on\r\nthe shame site are US accounts. The ransom demand in some cases exceeded 1 million USD.\r\nCountry Number of victims Percentage of victims\r\nUnited States 44 38%\r\nGermany 16 14%\r\nUnited Kingdom 4 3.5%\r\nAustria 3 2.6%\r\nCanada 3 2.6%\r\nSwitzerland 3 2.6%\r\nDenmark 2 1.74%\r\nFrance 2 1.74%\r\nIndia 2 1.74%\r\nItaly 2 1.74%\r\nhttps://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/\r\nPage 1 of 12\n\nOther 6 5.22%\r\nTotal: 87 100%\r\nFigure 1 – *Top 10 victims’ countries according to leak sites.\r\nIn the article below, we describe the inner workings of a Black Basta campaign and pay special attention to\r\nthe delivery stage where the main preparations for a smooth ransomware execution are made. We explain all the\r\nnumerous evasions and anti-analysis techniques that prevent emulators and sandboxes from detecting and\r\nanalyzing the threat in an automated mode. We provide links to our Anti-Debug and Evasions encyclopedias in\r\neach corresponding entry: these sites are the ultimate sources of numerous techniques grouped by categories, with\r\ncode examples and possible counter-measures to take. Last, but not least, we present an overview of how Black\r\nBasta encrypts files in the system and how it is capable of lateral movement.\r\nTechnical details\r\nBefore the actual ransomware execution can start, the ransomware must be delivered to the victim’s machine.\r\nWith the creativity and developed social skills of cybercrime syndicate members, there are different ways for the\r\ndropper to deliver its payload to the selected victim’s machine. There can also be a chain execution of dropper\r\nmodules (we observed the combination of QakBot and Cobalt Strike payloads) which finally leads to the\r\nransomware execution.\r\nFigure 2 – Possible ways Black Basta delivers ransomware to the victim’s machine.\r\nWe observed that droppers can be much more sophisticated than just a technically simpler ransomware payload.\r\nWe describe the final delivery stage of the Black Basta ransomware below.\r\nDelivery stage\r\nThe Black Basta dropper mimics the application for creating USB bootable drives hosted on this site:\r\nhttps://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/\r\nPage 2 of 12\n\nFigure 3 – Icon and description of the Black Basta dropper.\r\nThe application is digitally signed with the same certificate (issued by “Akeo Consulting”) used for legitimate\r\nexecutables from the Rufus website:\r\nFigure 4 – Digital signature of the Black Basta dropper and the certificate issuer.\r\nFor more information on how to create a malicious application with a verified digital signature, see the dedicated\r\narticle by the Check Point Research Team.\r\nEvasion and anti-analysis techniques\r\nThere are quite a few anti-debug tricks implemented in the Black Basta dropper, listed below grouped by\r\ncategories. Click the links for more information.\r\nFigure 5 – Anti-debug and evasion techniques in the Black Basta dropper.\r\nhttps://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/\r\nPage 3 of 12\n\nIf any of these techniques is successful in detecting a debugger and/or an emulation environment, the dropper\r\nstops its execution and quits without launching Black Basta.\r\nSystem flags\r\nThis group of anti-debug techniques relies on in-process structures to check the status: whether it is being\r\ndebugged.\r\nPEB: is debugger present\r\nPEB: being debugged\r\nPEB: NtGlobalFlag\r\nCheckRemoteDebugger\r\nCheck kernel debugger\r\nCPU registers\r\nThe techniques grouped below use CPU registers to check if the process is being debugged.\r\nSet trap flag\r\nCheck trap flag, same as above. Flag is not set, just checked\r\nCheck HW breakpoints (method 1 in the link)\r\nCPU instructions\r\nThese techniques use CPU instructions via direct calls or wrappers to check if the process is being debugged.\r\nDebugBreak\r\nINT 2D\r\nINT3\r\nTiming checks:\r\nThese techniques perform timing checks to see the differences between the debugged process and the one that is\r\nrun without a debugger.\r\nRDTSC\r\nQueryPerformanceCounter\r\nGetTickCount\r\nLibrary checks:\r\nThis technique relies on the assumption that there are some common system libraries in the usual system that can\r\nbe loaded without issues, and that there are also some uncommon ones that should not really be present in a\r\ntypical system. However, in a sandbox environment, when trying to load an uncommon library, the pre-defined\r\ncode may be returned instead of what is returned in a non-emulated machine in these cases. The difference in\r\nreturned code can be all it takes to detect the sandbox.\r\nLibraries that must be loaded:\r\nhttps://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/\r\nPage 4 of 12\n\nkernel32.dll\r\nnetworkexplorer.dll\r\nNlsData0000.dll\r\nLibraries that must not be loaded:\r\nNetProjW.dll\r\nGhofr.dll\r\nfg122.dll\r\nWindows API checks\r\nThe following group of techniques uses Windows API functions to detect if the process is being debugged.\r\nVirtualAlloc in conjunction with GetWriteWatch\r\nCloseHandle with bad descriptor\r\nOutputDebugString to check last system error\r\nLog pollution:\r\nThis technique is not really an anti-debugger but makes the log analysis harder. The main point is to make a\r\nrandom number of calls to the kernel32.beep function. You can see more in this sandbox analysis.\r\nFailing checks due to coding error\r\nThese checks are supposed to use specifics of either the emulation environment or a debugged process but fail to\r\nwork properly due to errors in the coding.\r\nFindWindow (class name: ▬unAwtFrame) – The first symbol in the name is wrong; it should\r\nbe SunAwtFrame\r\nNtQueryInformationProcess, check DebugPort – Doesn’t work because of a wrong dll name\r\nObscure dump\r\nAfter the stage of evasion techniques is successfully passed, the Black Basta dropper has one more trick up its\r\nsleeve. The Black Basta payload is not simply unpacked and executed in memory; there is data located before the\r\nPE header of the ransomware to prevent automatic scanners from easily identifying the malicious payload.\r\nhttps://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/\r\nPage 5 of 12\n\nFigure 6 – Data located before a PE header to prevent automated memory analysis.\r\nAs expected, the.imgscan command in WinDbg fails to reveal the Black Basta PE module in the dropper’s process\r\nmemory.\r\nFigure 7 – Missing Black Basta module in WinDbg memory scan.\r\nAfter all these steps are passed, the actual Black Basta payload is executed.\r\nBlack Basta payload\r\nA mutex is created at the start of the ransomware execution to ensure only one copy of the malware is active:\r\nFigure 8 – Mutex creation in Black Basta.\r\nIn the sample we describe, the mutex name is “dsajdhas.0”.\r\nThe malware then sets the wallpaper and assigns a custom icon to the files with the “.basta” extension.\r\nhttps://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/\r\nPage 6 of 12\n\nFigure 9 – Images dropped by Black Basta.\r\nThe images are taken from TEMP directory where Black Basta unpacks them.\r\nThe ransomware also attempts to delete any shadow volume copies as shown in the image below:\r\nFigure 10 – Commands executed to delete shadow volume copies.\r\nEncryption\r\nMultiple threads are created to make a multi-threaded encryption process:\r\nFigure 11 – Threads created to perform encryption.\r\nThe malware encrypts all the files found on the drives except for the ones that have the following strings in their\r\npaths:\r\nhttps://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/\r\nPage 7 of 12\n\n$Recycle.Bin\r\nWindows\r\nDocuments and Settings\r\nLocal Settings\r\nApplication Data\r\ntxt\r\nBoot\r\ntxt\r\njpg\r\nDAT\r\nico\r\nChaCha20 stream cipher (which as reported in independent research is faster than AES) is used for encryption\r\nwith a key generated randomly for each encrypted file. This key is then passed to the RSA encryption with a\r\nhardcoded public key to retrieve 512 bytes of the encrypted ChaCha20 key. This key is appended to the end of the\r\nencrypted file:\r\nFigure 12 – Start of the encrypted key at the end of the file (to the left); original file (to the right).\r\nAt the end of the block, there is also the length of the encrypted key (0x200):\r\nhttps://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/\r\nPage 8 of 12\n\nFigure 13 – The length of the key at the very end of the encrypted file.\r\nNote that not the entire file is being encrypted. The malware aims at each third block of 64 bytes:\r\nFigure 14 – Blocks encrypted by Black Basta (to the left); original file (to the right).\r\nTo process a file, the usual kernel32 functions are used:\r\nCreateFile\r\nReadFile\r\nWriteFile\r\nMoveFile (to rename an encrypted file)\r\nAs a side note, we need to mention that mini GMP implementation of the RSA is used.\r\nAfter the encryption is finished, the ransomware drops a ransom note in a “readme.txt” file on the Desktop. A\r\ncompany ID is hardcoded into the ransom note, which is a sign of a targeted and prepared attack:\r\nhttps://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/\r\nPage 9 of 12\n\nFigure 15 – Company ID as hardcoded inside the sample.\r\nThere is no apparent way to decrypt the files without knowing the RSA private key.\r\nAutomatic distribution\r\nBlack Basta has a built-in functionality of automatic distribution in the network, in case the droppers’ functions\r\nare not sufficient for the task. The ransomware tries to connect to AD with the help of LDAP API and iterates over\r\nthe connected workstations using the filter string (samAccountType=805306369):\r\nFigure 16 – Function to initiate a search through connected workstations.\r\nAfter the list of workstations is obtained, the ransomware tries to copy itself to the remote machines via the path\r\n\\\\c$\\\\Windows\\\\tmp.exe. Then, with the help of the COM objects objectIWbemClassObject (CLSID: 4590F812-\r\n1D3A-11D0-891F-00AA004B2E24) and IWbemServices-\u003eWin32_Process, the executable copied in the previous\r\nstage is launched via the Create method.\r\nConclusion\r\nRansomware attacks are one of the most serious threats a victim may face. Contemporary ransomware attacks\r\nhave a record of numerous successful extortions, and can move laterally within a network, thereby resulting in\r\nmore and more guaranteed rewards when using a double extortion scheme.\r\nNewly emerged Black Basta is an already successful ransomware player, which takes various precautions and the\r\nactual data encryption is performed, as exemplified by the anti-debug and evasion techniques applied. The\r\ncombination of soft and technical skills exhibited by the Black Basta gang, when successfully applied in a\r\nransomware attack, can lead to truly devastating results.\r\nAs seen in the article, not only is the ransomware itself engineered to inflict maximum damage in the least time\r\npossible, but the delivery stage is also stealthy, sophisticated and effective. Black Basta knows without a doubt\r\nhttps://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/\r\nPage 10 of 12\n\nthat the environment is safe and has a clean shot to perform the encryption.\r\nTo lower the chances of being victimized by this and similar attacks, employers should adopt the following\r\npractices:\r\nEducate your employees on how to stay safe in the cyber security sphere.\r\nDo not open non-corporate attachments from unexpected senders.\r\nUpdate and improve the security of your cyber infrastructure.\r\nMake regular backups of the sensitive data and store them on external drives.\r\nKeep your systems up-to-date with the latest updates available.\r\nCheck Point’s Anti-Ransomware, protects organizations from the most sophisticated ransomware attacks,\r\nincluding Black Basta, and safely recovers encrypted data.\r\nAnti-Ransomware is offered as part of Harmony Endpoint, Check Point’s complete endpoint security solution.\r\nHarmony Endpoint provides comprehensive endpoint protection at the highest security level.\r\nCheck Point Protections\r\nRansomware.Win.BlackBasta.A\r\nRansomware.Win.BlackBasta.B\r\nIOCs\r\n07fdfcde9c9a3f60b1302c6a42ef1191fcfa861e94638968c8023ed957d9144f\r\n5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa\r\n5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa\r\n7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a\r\nae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e\r\nb1773d41cb87d61073f7bb1fc3aca877f01fd64f7b1430666ce3c9bb65ecae70\r\nbc1baf6014affceab4e59a781c33df25f2e9baa17c0cc579f6a6702d0db585d2\r\ne354bf321585aef56829913384ff890deb5836ce1299fb27d7d34b4dab37b937\r\nSources\r\n1. Check Point Threat Report after H1 2022// https://blog.checkpoint.com/2022/07/26/check-point-research-weekly-cyber-attacks-increased-by-32-year-over-year-1-out-of-40-organizations-impacted-by-ransomware-2/\r\n2. Leaks of Conti Ransomware Group // https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nhttps://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/\r\nPage 11 of 12\n\n3. Anti-Debug Encyclopedia // https://anti-debug.checkpoint.com/\r\n4. Evasions Encyclopedia // https://evasions.checkpoint.com/\r\n5. Can You Trust a File’s Digital Signature? // https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\n6. What’s the appeal of using ChaCha20 instead of AES?\r\n// https://crypto.stackexchange.com/questions/34455/whats-the-appeal-of-using-chacha20-instead-of-aes\r\nSource: https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/\r\nhttps://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/\r\nPage 12 of 12\n\n  https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/ \n3. Anti-Debug Encyclopedia // https://anti-debug.checkpoint.com/ \n4. Evasions Encyclopedia // https://evasions.checkpoint.com/ \n5. Can You Trust a File’s Digital Signature? // https://research.checkpoint.com/2022/can-you-trust-a-files\u0002\ndigital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/   \n6. What’s the appeal of using ChaCha20 instead of AES?\n// https://crypto.stackexchange.com/questions/34455/whats-the-appeal-of-using-chacha20-instead-of-aes   \nSource: https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/   \n   Page 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/"
	],
	"report_names": [
		"black-basta-and-the-unnoticed-delivery"
	],
	"threat_actors": [],
	"ts_created_at": 1775701400,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dfda8095b55c808f1832f85b6db4a7dec24cce2a.pdf",
		"text": "https://archive.orkl.eu/dfda8095b55c808f1832f85b6db4a7dec24cce2a.txt",
		"img": "https://archive.orkl.eu/dfda8095b55c808f1832f85b6db4a7dec24cce2a.jpg"
	}
}