Threat Research

Black Basta Besting Your Network?

Securonix

Black Basta ransomware is analyzed for its rapid network impact, data theft, and in-memory encryption with double extortion. IBM X-Force details the loader, behavior, and indicators to help defenders detect and mitigate this threat. Hashtags: #BlackBasta #IBMXForce #Conti #Tor #DataLeakSite

Keypoints

  • Black Basta emerged rapidly in 2022 with fast, high-volume intrusions and a double-extortion tactic (encryption plus data theft) culminating in public data release on a Tor data leak site.
  • The threat group’s affiliation to Conti is uncertain; IBM X-Force notes no current evidence of active underground affiliate recruitment, while Conti has denied ties.
  • Loader and in-memory execution: the payload is base64-decoded, RC4-decrypted, and injected into a loader process for in-memory execution.
  • Encryption and impact: ChaCha20 is used to encrypt volumes and append the .basta extension to files; ransom notes are dropped (readme.txt) with a unique company ID per sample.
  • Defensive evasion and persistence: includes deleting volume shadow copies, hijacking a legitimate Fax service for persistence, and rebooting into safe mode to complicate remediation.
  • Operational indicators: targeted file artifacts (readme.txt, fkdjsadasd.ico, dlaksjdoiwq.jpg), specific sample hashes, and a Tor-hosted ransom/negotiation site provide actionable IoCs.

MITRE Techniques

  • [T1140] Deobfuscate/Decode Files or Information – The loader base64 decodes a Black Basta payload using the CryptStringToBinaryA() API function. “The loader base64 decodes a Black Basta payload using the CryptStringToBinaryA() API function.”
  • [T1055] Process Injection – Black Basta is injected into a process instance of the loader and executed in memory. “Black Basta is then injected into a process instance of the loader and executed in memory.”
  • [T1490] Inhibit System Recovery – Deletes volume shadow copies using the commands: “C:WindowsSysNativevssadmin.exe delete shadows /all /quiet” and “C:WindowsSystem32vssadmin.exe delete shadows /all /quiet.”
  • [T1112] Modify Registry – Changes the registry key to set the desktop background: “HKCUControl PanelDesktopWallpaper = %Temp%dlaksjdoiwq.jpg” and related registry edits for icons. “Drops the ICON file …” and “The ransomware creates the following registry key.”
  • [T1112] Modify Registry – Desktop background change via wallpaper file: “Changes the desktop background to the following image using the file %Temp%dlaksjdoiwq.jpg.”
  • [T1543] Create or Modify System Process: Windows Service – Hijacks the existing Fax service to maintain persistence. “Hijacks the existing Fax service to maintain persistence.”
  • [T1547] Boot or Logon Autostart Execution – Reboots the system into safe mode using bcdedit and the shutdown command. “Reboots the system into safe mode using bcdedit and the shutdown command.”
  • [T1486] Data Encrypted for Impact – Encryption of files with ChaCha20 and extension addition, e.g., “.basta”. “Encryption” and “Appends the file extension .basta to encrypted files.”
  • [T1083] File and Directory Discovery – Enumerates volumes during encryption using FindFirstVolumeW/FindNextVolumeW to map drives. “FindFirstVolumeW() and FindNextVolumeW() functions to enumerate volumes.”
  • [T1140] Deobfuscate/Decode Files or Information – Additional static analysis details about decoding/packing appear in the loader analysis. “The loader creates a suspended process… GetThreadContext()…”

Indicators of Compromise

  • [File] ef1382770f820e4b2e65981bb7b3a62d5f93e3b87763f83012ef7f7cb1bc9469 – Loader SHA256 hash.
  • [File] 17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90 – Sample hash listed in static analysis.
  • [File] 5b6c3d277711d9f847be59b16fd08390fc07d3b27c7c6804e2170f456e9f1173 – Sample hash listed in static analysis.
  • [URL] aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ – TOR data/negotiation site referenced by ransom note.
  • [Domain/URL] hxxps://torproject.org – TOR browser link mentioned in ransom note for access.
  • [Domain] c98fa42b-3233-45df-bd7c-42529c44cb70 – Example company ID used in ransom note
  • [File] readme.txt – Ransom note dropped in encrypted directories.
  • [File] fkdjsadasd.ico – Default icon file for encrypted files.
  • [File] dlaksjdoiwq.jpg – Desktop wallpaper image used by the ransomware.
  • [File] dlaksjdoiwq.jpg (mentioned as a temporary wallpaper file) – and 1–2 more hashes

Read more: https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint