Black Basta: New ransomware threat aiming for the big league

Many ransomware gangs have risen to the top over the years only to suddenly disband and be replaced by others. Security researchers believe many of these movements in the ransomware space are intentional rebranding efforts to throw off law enforcement when the heat gets too high. This is also the suspicion for Black Basta, a relatively new ransomware operation that saw immediate success in several months of operation. Some believe it has splintered off from the infamous Conti gang.

Black Basta was first detected in April 2022, but researchers found evidence the operation was launched in February and it took time to test the new malware strain. The gang behind it engages in double extortion, which combines file encryption with data leak extortion, and has claimed responsibility for compromising at least 50 organizations so far.

Black Basta gang has high level of expertise

Even though the gang posted messages on cybercriminal forums offering to buy network access credentials for organizations in the U.S., Canada, UK, Australia and New Zealand, it hasn’t openly recruited affiliates. Despite this, it has been successful in a short amount of time, making some researchers believe they already started with significant in-house expertise.

One theory is that Black Basta was set up by former members of the Conti and REvil gangs, both of which went dark after gaining a lot of attention. REvil, one of the most successful ransomware gangs of the past few years, shut down its operations last year. In January it was announced that the Russian FSB arrested two key members, one of them involved in the 2021 attack on Colonial Pipeline that caused fuel disruptions on the U.S. East Coast. Conti, another high-profile ransomware gang, shut down in May after hitting multiple Costa Rican government agencies that prompted the U.S. State Department to put up a $10 million reward on the identity or location of Conti’s leaders.

Researchers also noted similarities between the Black Basta and the Conti leak sites as well as in how their respective negotiation teams operate. Conti representatives later dismissed any connection to Black Basta via its leak site, referring to the people behind Black Basta as kids.

In June, security researchers reported that Black Basta appears to have entered into a partnership with Qbot, a botnet that has been used in the past as a deployment vehicle by multiple ransomware operations, including Conti. Qbot started out as a banking Trojan and in addition to its ability to deploy additional malware, it focuses on credential theft and lateral movement.

“The use of QBot saves time for ransomware operators,” researchers from Cybereason said in a report in June. “QBot has many built-in capabilities that are very useful for attackers. Some of them used to perform reconnaissance, collect data and credentials, move laterally, and download and execute payloads.”

Windows and Linux targeting for ransomware

After harvesting credentials and mapping the network the Black Basta attackers execute code on other systems using PsExec with the goal of locating and compromising the domain controller. Once this is achieved, they create a group policy to disable Windows Defender and other antivirus products.

Once the ground is set, the attackers deploy the Black Basta ransomware on all identified endpoint systems using a PowerShell command and the Windows Management Instrumentation (WMI) interface. When executed on a system the Black Basta program first deletes all Volume Shadow copies and then starts encrypting files, except for those with certain extensions and located in certain folders that are specified in an exclusion list.

The files are encrypted with the ChaCha20 cipher but only partially to speed the process. The ransomware encrypts chunks of 64 bytes and then skips the next 128 bytes, which is enough to leave files unusable. The ChaCha20 file encryption key is encrypted with an RSA public key to ensure only attackers can recover it with their corresponding private RSA key. The extension of the encrypted files is changed to .basta.

In addition to destroying local backups, the Black Basta attackers establish RDP connections to Hyper-V servers and modify the configuration for the Veeam backup jobs and delete the backups of virtual machines hosted on such servers.

In June, researchers discovered that Black Basta added a mechanism to encrypt files on Linux servers that host VMware ESXi virtual machines. This capability has also been implemented recently by other ransomware groups such as LockBit.

So far, this gang has exhibited high levels of expertise and connections in the cybercriminal underground. It favors targeting organizations from English-speaking countries and developed economies, performs human-operated attacks that involve lateral movement, engages in double extortion, and asks for millions in ransoms, and has managed to compromise many organizations in a relatively short amount of time.

“It is pretty clear that the Black Basta gang knows what they are doing, and they want to play in the ‘big league’ of ransomware, the same league as Conti, Ryuk, REvil, BlackMatter and others,” the Cybereason researchers concluded in their report.