New Black Basta Ransomware

10464408487?profile=RESIZE_400xBlack Basta, a new ransomware group, has made their presence felt by claiming responsibility for twelve ransomware attacks in the month of April.   Black Basta, like many other ransomware operations, uses double-extortion tactics, stealing victim data before encrypting systems to leverage payment.  The group then uses their Tor site and slowly leaks victim data, applying pressure to victims to pay the ransom for the decryption key.  Notable targets from the first stretch of attacks include the American Dental Association and German Energy company, Deutsche Windtechnik.[1]

The malware itself requires administrative privileges to encrypt files.  In order to gain these administrative privileges, the group must gain persistent access to target hosts in order to obtain credentials or purchase stolen credentials from darknet forums.  When the malware is launched it will delete Volume Shadow Copies, which are used to backup files, using the command “C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet”10464452499?profile=RESIZE_400x

Once the Shadow Copies are deleted, the ransomware hijacks an existing Windows service which is used to launch the encryptor.  In an analysis of the malware conducted by Bleeping Computer, the service used was the Windows Fax service.  The ransomware reboots the machine into Safe Mode and the hijacked service begins encrypting files with the ChaCha20 encryption algorithm.   The ChaCha20 encryption key is then encrypted with a public RSA-4096 key from the Basta executable.

The ransomware changes the wallpaper of the machine to read “Your network is encrypted by the Black Basta group.  Instructions in the file readme.txt” as pictured.

When the Black Basta ransomware is finished encrypting files, the malware will add the extension “.basta” to the end 10464468057?profile=RESIZE_400x of  the file name.  Each folder containing encrypted files will contain a ransom note in a text file called readme.txt.  Within the readme.txt file is a link to the Black Basta Tor negotiation site which is titled “Chat Black Basta.” Victims use a unique organization ID provided in the readme.txt file to sign into the site and negotiate terms.  

Based on the early success of the group, security researchers believe that the Black Basta ransomware group is a possible rebrand of the Conti ransomware group. The MalwareHunterTeam pointed out in a tweet that there are similarities between the Black Basta and Conti leak sites, payment sites, and more.  As the Conti group continues to face heavy global scrutiny it makes sense that they would rebrand to lose some of the heat.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.   For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee. gotowebinar. com/register/3702558539639477516

[1] https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!