Black Basta’s infection routine is dissected, revealing how the ransomware relies on credential access, privilege escalation, and careful system manipulation to achieve encryption and extortion. The analysis also covers its methods for disabling recovery, altering wallpaper and icons, and its ties to double-extortion practices and potential links to Conti/QAKBOT activity. #BlackBasta #Conti #QAKBOT #QUAKNIGHTMARE #PRINTNIGHTMARE #no_name_software #BastaNews
Keypoints
- Black Basta targets English-speaking regions and leverages stolen credentials from darknet/underground markets for initial access.
- Administrator rights are required for execution; a command prompt appears if run without those rights.
- Shadow copies are deleted, Windows recovery disabled, and the system is rebooted into safe mode to aid encryption.
- The malware drops temporary files and registry entries to alter desktop wallpaper and file icons before encryption.
- Files are encrypted in safe mode with a .basta extension, accompanied by a ransom note containing a company ID and onion site.
- Double extortion is used: data exfiltration prior to encryption, with victims listed on a Tor-based Basta News site.
- New findings suggest possible connections to QAKBOT and a loader that uses reflective loading, with potential organization-specific binaries.
MITRE Techniques
- [T1078] Valid Accounts – The attackers advertise and use stolen credentials from darknet forums to gain access to target networks. Quote: “…advertisement that it intends to buy and monetize corporate network access credentials… malicious actors acquired stolen credentials from some darknet websites…”
- [T1490] Inhibit System Recovery – After execution, the ransomware deletes shadow copies and disables recovery features. Quote: “it removes shadow copies, disables Windows recovery and repair, and boots the PC in safe mode.”
- [T1112] Modify Registry – The ransomware changes wallpaper and icons by creating registry entries and dropping image files in %Temp%. Quote: “registry entry: Key: HKCUControl PanelDesktop; Value: Wallpaper; Data:%Temp%dlaksjdoiwq.jpg;”
- [T1112] Modify Registry – It also adds keys to change the icon of encrypted files with the .basta extension. Quote: “HKLMSOFTWAREClasses.basta… Data: %TEMP%fkdjsadasd.ico”
- [T1543.003] Create or Modify System Process: Windows Service – It deletes a service named Fax and creates a new one to achieve persistence. Quote: “the ransomware deletes the service named Fax, and creates a new one with the same name using the malware’s path and adds it to the registry for persistence.”
- [T1059.001] PowerShell – The analysis notes staging with PowerShell commands as part of the process. Quote: “it then executes certain PowerShell commands as part of its staging phase.”
- [T1055] Process Injection: Reflective Loading – The loader downloads into memory and launches via reflective loading. Quote: “the loader downloads to the device’s memory then uses reflective loading to launch the ransomware.”
- [T1486] Data Encrypted for Impact – Encryption of files, appending .basta to encrypted files. Quote: “The ransomware proceeds to encrypt files while the device is in safe mode, appending all encrypted files with the .basta extension.”
- [T1204] User Execution: Malicious File – Initial delivery/execution path mentions using a malicious Excel file alongside QAKBOT’s techniques. Quote: “As with QAKBOT, the malware is downloaded and executed from a malicious Excel file.”
Indicators of Compromise
- [SHA256] – Ransomware IOCs (BASTACRYPT) – 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa, 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a, and 6 more hashes
- [SHA256] – QAKBOT-related samples – a48ac26aa9cdd3bc7f219a84f49201a58d545fcebf0646ae1d676c7e43c6ac3e, 82c73538322c8b90c25a99a7afc2fafcd7e7e03fe920a3331ef0003300ac10b8, and 10 more hashes