Dark Web Profile: Black Basta Ransomware
By SOCRadar Research
[Update] January 3, 2024: Read the subheading “Turning the Tables on Black Basta”
One of the perpetrators of the ransomware attacks, which increased by 59% in the last year, is the Russian-speaking origin ransomware group, Black Basta. They emerged in April 2022 and became notorious for breaching nearly a hundred organizations by October 2022.
Although the LockBit group is the most active ransomware group in the gap opened after Conti’s dissolution, the Black Basta is in second place, taking on 9% of ransomware attacks. On Dark Web, it has not been seen so far that they are advertising or looking for affiliates, but the group members, which reached large attack volumes in this brief time, are well-organized and experienced threat actors.
Who is Black Basta?
According to some researchers, Black Basta is a ransomware group that works with the RaaS (ransomware as a service) model. Still, SOCRadar Dark Web Team reports that no such advertisements on hacker forums or black markets have been found so far. However, they may still be using the RaaS model with the affiliates and partners they trust.
As observed by researchers, they generally use the double-extortion method, which we often encounter in ransomware incidents, and the ransom fee they demand exceeds millions of dollars sometimes. Most of the group’s targets so far have been western countries, and the country with the most cases is the United States. The industries they target are varied. Although the sector they targeted the most is manufacturing, they had many different victims, from appeal and fashion to Healthcare, such as American Dental Association, Deutsche Windtechnik, and Knauf.
Are There Any Relations with Other Groups?
Security researchers state that Black Basta develops and maintains their ransomware kits and tools themselves or collaborates with close threat actors they trust, which also speculates that the group is an offshoot of Conti or has some members of the group.
According to another research, the group was also observed to be linked to the FIN7(Carbanak). This ransomware group had been engaged in criminal activities for several years before the Black Basta. Security researchers examined the toolkits and found one or more developed by the FIN7 threat group. Moreover, the IP addresses, attack techniques, and EDR evasion techniques used by Black Basta also intersect with the FIN7 group, which may indicate that the two groups are closely related or that some threat actors are in both groups.
The FIN7, also known as the Carbanak or Navigator group, made its name by stealing $1+ billion from more than 100 companies in 2014. They first appeared with credit card skimmer software targeting victims’ point-of-sale systems. They were already one of the most skillful threat groups, but later down the track, they increased their notoriety by adding ransomware to their arsenal.
Black Basta Infection Chain
Ransomware must be delivered before its execution, and there are various initial vectors that threat group members can transmit to the victim’s machine using advanced social engineering techniques. These are primarily phishing-style attacks. When the malware -macro-based MS Office documents- sent in such attacks is executed, various macros start the HTTP Traffic for, QakBot, and Cobalt Strike activities begin for system discovery.
It is also known that the group purchases leaked credentials for initial access.
After completing the discovery phase, they send droppers for Black Basta, and the dropper checks some rules and decides whether to deploy the ransomware. If the dropper encounters one of these rules, it terminates itself without deploying the ransomware. When evasion and lateral movement tactics are successful, ransomware is sent to the system in an obfuscated way to avoid being caught by scanners.
When ransomware runs, it encrypts files with ChaCha20 stream cipher, and for each file, it encrypts with a randomly generated key. The key is then passed to RSA encryption with a hard-coded public key to retrieve 512 bytes of the encrypted ChaCha20 key, then it gets added to the end of the encrypted file.
After this point, the file extensions change to “.basta,” the desktop darkens, and a “txt” file is left for the victim to explain how to pay the ransom.
Black Basta performs comprehensive analyses and acts selective when choosing its victims. They work carefully by taking various controls and precautions before the encryption phase, and they try to make their attacks successful by blending technical and soft skills.
They also actively continue their malicious activities, with their biggest recent attack affecting Canadian food retail company Sobey in November 2022. Their attack tally constantly expands, and they had more than ten victims last November alone; they continue their activities and haven’t slowed down.
As the volume of cyber threats like ransomware and the damage they cause increases, organizations should strengthen their defenses against ransomware attacks to avoid falling victim to threat actors.
Turning the Tables on Black Basta
A development in the ransomware landscape has emerged with the creation of Black Basta Buster, a decryption tool by SRLabs. This tool addresses a specific vulnerability in the Black Basta ransomware, enabling some victims to recover their encrypted files. As we analyzed, active since April 2022, Black Basta has been linked to many devastating attacks; therefore, this development will surely hinder their ability.
The decryptor, available on GitHub, is adequate for files encrypted by specific versions of the ransomware until late December 2023. This breakthrough offers significant relief for victims affected by these earlier versions of Black Basta ransomware.