Black Basta
Black Basta’s operational methods highlight their adaptability and willingness to exploit both technical vulnerabilities and human factors to achieve their goals. Understanding these tactics can help organizations bolster their defenses against such sophisticated threats.
The origin of Black Basta
Black Basta is a ransomware-as-a-service (RaaS) variant first identified in April 2022. The group operates by encrypting and exfiltrating data from their victims, and they have been active across North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally, including at least 12 out of 16 critical infrastructure sectors, with a significant focus on the Healthcare and PublicHealth (HPH) Sector.
Source: OCD
Targets
Blackbasta's targets
Countries targeted by Blackbasta
Black Basta's operations span multiple regions, with significant incidents reported in the United States, Germany, the United Kingdom, Canada, and Australia. These regions are often targeted due to their high-value industries and critical infrastructure.
Industries targeted by Blackbasta
Black Basta has targeted a wide range of industries, notably the Healthcare and Public Health (HPH) sector due to its critical nature and reliance on technology. Other affected sectors include finance, manufacturing, and information technology.
Industries targeted by Blackbasta
Black Basta has targeted a wide range of industries, notably the Healthcare and Public Health (HPH) sector due to its critical nature and reliance on technology. Other affected sectors include finance, manufacturing, and information technology.
Blackbasta's victims
While specific names of recent victims might not always be publicly available due to privacy and security concerns, we count more than 439 victims including major companies and institutions in the sectors mentioned above. Recent reports have indicated attacks on healthcare systems, large manufacturing firms, and financial institutions.
Attack Method
Blackbasta's attack method
Black Basta affiliates typically use spearphishing emails and exploit known vulnerabilities such as CVE-2024-1709. They have also been known to abuse valid credentials to gain initial access. malware.
Tools like Mimikatz are used for credential scraping, while vulnerabilities such as ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278, CVE-2021-42287), and PrintNightmare (CVE-2021-34527) are exploited to escalate privileges.
The group employs masquerading tactics by using innocuous file names, such as Intel or Dell. They also deploy tools likeBackstab to disable endpoint detection and response (EDR) systems, and use PowerShell to disable antivirus products.
Black Basta affiliates use credential scraping tools like Mimikatz and exploit known vulnerabilities to gain administrative access and escalate privileges within the network.
Network scanning tools such as SoftPerfect Network Scanner are used to map out the network and identify key systems and data stores.
The group uses tools like BITSAdmin, PsExec, Remote Desktop Protocol (RDP), Splashtop, ScreenConnect, and Cobalt Strike to move laterally across networks.
Before encryption, data is collected and prepared for exfiltration. This may involve compressing files or staging data in preparation for transfer.
Before encryption, data is collected and prepared for exfiltration. This may involve compressing files or staging data in preparation for transfer.
Tools such as RClone are used to exfiltrate data to actor-controlled servers. This data is often used as leverage to pressure victims into paying the ransom.
The ransomware encrypts files using a ChaCha20 algorithm with an RSA-4096 public key, adding a .basta or random extension to file names. Ransom notes left on compromised systems instruct victims to contact the group via a Tor site.
Initial Access
Black Basta affiliates typically use spearphishing emails and exploit known vulnerabilities such as CVE-2024-1709. They have also been known to abuse valid credentials to gain initial access. malware.
Privilege Escalation
Tools like Mimikatz are used for credential scraping, while vulnerabilities such as ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278, CVE-2021-42287), and PrintNightmare (CVE-2021-34527) are exploited to escalate privileges.
Defense Evasion
The group employs masquerading tactics by using innocuous file names, such as Intel or Dell. They also deploy tools likeBackstab to disable endpoint detection and response (EDR) systems, and use PowerShell to disable antivirus products.
Credential Access
Black Basta affiliates use credential scraping tools like Mimikatz and exploit known vulnerabilities to gain administrative access and escalate privileges within the network.
Discovery
Network scanning tools such as SoftPerfect Network Scanner are used to map out the network and identify key systems and data stores.
Lateral Movement
The group uses tools like BITSAdmin, PsExec, Remote Desktop Protocol (RDP), Splashtop, ScreenConnect, and Cobalt Strike to move laterally across networks.
Collection
Before encryption, data is collected and prepared for exfiltration. This may involve compressing files or staging data in preparation for transfer.
Execution
Before encryption, data is collected and prepared for exfiltration. This may involve compressing files or staging data in preparation for transfer.
Exfiltration
Tools such as RClone are used to exfiltrate data to actor-controlled servers. This data is often used as leverage to pressure victims into paying the ransom.
Impact
The ransomware encrypts files using a ChaCha20 algorithm with an RSA-4096 public key, adding a .basta or random extension to file names. Ransom notes left on compromised systems instruct victims to contact the group via a Tor site.
MITRE ATT&CK Mapping
TTPs used by Black Basta
Black Basta employs various TTPs aligned with the MITRE ATT&CK framework. Some of the key TTPs include:
TA0001: Initial Access
T1566
Phishing
T1190
Exploit Public-Facing Application
T1078
Valid Accounts
TA0002: Execution
T1059
Command and Scripting Interpreter
TA0003: Persistence
T1543
Create or Modify System Process
T1547
Boot or Logon Autostart Execution
T1078
Valid Accounts
T1053
Scheduled Task/Job
TA0004: Privilege Escalation
T1543
Create or Modify System Process
T1068
Exploitation for Privilege Escalation
T1547
Boot or Logon Autostart Execution
T1078
Valid Accounts
T1053
Scheduled Task/Job
TA0005: Defense Evasion
T1027
Obfuscated Files or Information
T1562
Impair Defenses
T1078
Valid Accounts
TA0006: Credential Access
T1110
Brute Force
T1056
Input Capture
T1003
OS Credential Dumping
TA0007: Discovery
T1082
System Information Discovery
TA0008: Lateral Movement
T1077
Remote Services: SMB/Windows Admin Shares
TA0009: Collection
T1005
Data from Local System
TA0011: Command and Control
No items found.
TA0010: Exfiltration
T1041
Exfiltration Over C2 Channel
T1020
Automated Exfiltration
TA0040: Impact
T1485
Data Destruction
T1486
Data Encrypted for Impact
Platform Detections
How to Detect Black Basta with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.
FAQs
What is Blackbasta Ransomware?
Blackbasta is a sophisticated ransomware group that emerged in April 2022. They use double extortion tactics, encrypting victims' data and threatening to release sensitive information if the ransom is not paid.
How does Blackbasta typically gain initial access to a network?
Blackbasta often gains initial access through phishing emails containing malicious attachments or links, exploiting vulnerabilities in public-facing applications, and using malicious advertisements or drive-by downloads.
What industries are most frequently targeted by Blackbasta?
Blackbasta targets a wide range of industries, including healthcare, manufacturing, finance, legal, education, government, and information technology.
Which countries are most affected by Blackbasta attacks?
Blackbasta primarily targets organizations in the United States, Canada, United Kingdom, Germany, France, and Australia, though they have a global reach.
What are some of the known tactics, techniques, and procedures (TTPs) used by Blackbasta?
Blackbasta employs various TTPs such as phishing (T1566), command and scripting interpreter (T1059), credential dumping (T1003), disabling security tools (T1562), and data encrypted for impact (T1486).
How does Blackbasta escalate privileges within a compromised network?
Blackbasta escalates privileges by exploiting unpatched software vulnerabilities and using tools like Mimikatz to extract credentials from memory.
What methods does Blackbasta use to evade detection?
Blackbasta uses obfuscation techniques, disables security tools, employs living off the land (LotL) tactics, and utilizes legitimate software and tools to evade detection.
How does Blackbasta move laterally within a network?
Blackbasta uses Remote Desktop Protocol (RDP), Windows Management Instrumentation (WMI), and remote services to move laterally within a network.
What are the typical stages of a Blackbasta ransomware attack?
The stages include initial access, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, execution, exfiltration, and impact.
What preventive measures can organizations take to protect against Blackbasta ransomware?
Organizations can protect against Blackbasta by implementing robust email filtering, patching vulnerabilities promptly, using multi-factor authentication, conducting regular security training for employees, monitoring for unusual activity, maintaining up-to-date backups, and deploying Extended Detection and Response (XDR) systems to identify and respond to threats quickly.