FortiGuard Labs’ Ransomware Roundup analyzes Black Basta, detailing its multi-platform operations (Windows and ESXi), RaaS model, and double-extortion tactics. The report covers infection vectors, encryption specifics, Tor-based negotiation sites, victimology, and Fortinet protections and guidance. #BlackBasta #QakBot #ESXi #RClone #BastaNews
Keypoints
- Black Basta operates as a Ransomware-as-a-Service (RaaS) targeting Windows and ESXi environments.
- Initial access is via spearphishing and Initial Access Brokers (IABs), with additional access through other malware such as QakBot.
- Affiliates move laterally using tools provided by operators (e.g., PsExec, WMI, PowerShell) and living-off-the-land techniques to deploy ransomware.
- Data is exfiltrated using RClone and then released in a double-extortion scheme if ransom demands aren’t met.
- The Linux ESXi variant targets specific VM-related file types and includes a Linux ransom note demanding contact via Tor.
- Victimology shows 200+ victims across North America and Europe, with the US accounting for the majority and manufacturing/construction/services/retail heavily impacted.
MITRE Techniques
- [T1566.001] Spearphishing – The article notes: “Black Basta has been seen to use techniques from spearphishing to purchasing access through Initial Access Brokers (IABs) to gain initial access.” – “Black Basta has been seen to use spearphishing to purchasing access through Initial Access Brokers (IABs) to gain initial access.”
- [T1583.003] Acquire Infrastructure – “purchasing access through Initial Access Brokers (IABs) to gain initial access.” – “purchasing access through Initial Access Brokers (IABs) to gain initial access.”
- [T1068] Exploitation for Privilege Escalation – “The exploitation of the PrintNightmare (CVE-2021-34527) and Follina (CVE-2022-30190) vulnerabilities have also been reported.” – “…exploitation of the PrintNightmare… and Follina vulnerabilities have also been reported.”
- [T1021] Remote Services – “moving laterally across a victims’ network (often by using tools supplied by ransomware operators…)” – “moving laterally across a victims’ network (often by using tools supplied by ransomware operators, leveraging dual-use tools, and employing living-off-the-land tactics).”
- [T1047] Windows Management Instrumentation – “Tools reportedly used by Black Basta threat affiliates include PsExec, Windows Management Instrumentation (WMI), PowerShell, Netcat, BITSAdmin, …” – “Windows Management Instrumentation (WMI)…”
- [T1059.001] PowerShell – “PowerShell” is listed among the tools used by affiliates in the same sentence as WMI and PsExec – “…PowerShell…”
- [T1003.001] Credential Dumping – “Mimikatz” is cited among credential tools used by attackers – “Mimikatz, ColbaltStrike, Brute Ratel C4…”
- [T1041] Exfiltration – “RClone to steal the data that they collected. The stolen data is then used for their double-extortion scheme.” – “install and configure the open-source file-transfer utility ‘RClone’ to steal the data that they collected. The stolen data is then used for their double-extortion scheme.”
- [T1486] Data Encrypted for Impact – “Black Basta uses the XChaCha20 stream cipher to encrypt its files.” – “XChaCha20 stream cipher to encrypt its files.”
Indicators of Compromise
- [SHA-256] File-based IOCs – 0180364e7dd8b5440920f1a85330bc5ec7e80756cb633014846378b9a5c9debd, 03309c90e6c60a2e3cd44374efa3003ae10cd9e05ba6a39c77aa5289b32cb969, and 2 more hashes
- [File name] Ransom note context – Instructions_read_me.txt
Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta