Threat Research

Response to CISA Advisory (AA24-131A): #StopRansomware: Black Basta

AttackIQ

Joint U.S. government agencies issued a Cybersecurity Advisory about Black Basta ransomware, noting its encryption and data theft across multiple critical infrastructure sectors. AttackIQ released an attack graph emulating Black Basta’s tactics, techniques, and procedures to help organizations validate defenses and improve detection and response.
#BlackBasta #QakBot #StopRansomware

Keypoints

  • Black Basta is a ransomware variant operated under a Ransomware as a Service (RaaS) model, active since April 2022 with development dating to February 2022.
  • Affiliates have targeted diverse sectors worldwide, with notable focus on Construction, Manufacturing, Professional Services, Financial Services, Healthcare & Life Sciences, and Energy/Utilities.
  • The operators use double-extension encryption, exfiltrate data, and publish stolen data on a Dedicated Leak Site if the ransom is not paid.
  • AttackIQ released an attack graph emulating Black Basta’s TTPs to help customers test security controls, focusing on encryption and data destruction alongside lateral movement.
  • The CSA references StopRansomware objectives and recommends validating security programs against the behaviors demonstrated by Black Basta affiliates.
  • The emulation covers stages from initial discovery and persistence to defense evasion, lateral movement, and data encryption, culminating in Impact/Encryption of files.
  • The article provides detection and mitigation guidance, including patching guidance, PowerShell logging, and specific MITRE ATT&CK techniques (e.g., T1082, T1087.001, T1136.001, T1078.003, T1021.001, T1490, T1486, T1562.*).

MITRE Techniques

  • [T1497] Virtualization/Sandbox Evasion -‘This scenario will call the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.’
  • [T1082] System Information Discovery -‘This scenario will call the GetComputerNameA (Kernel32) Windows API to enumerate the computer name.’
  • [T1087.001] Account Discovery: Local Account -‘The native net user command is executed to get a list of local accounts.’
  • [T1136.001] Create Account: Local Account -‘This scenario will create a new account with the name admin using net user.’
  • [T1078.003] Valid Accounts: Local Accounts -‘This scenario will attempt to add a local user to a local Administrators group using the net localgroup command.’
  • [T1562.001] Impair Defenses: Disable or Modify Tools -‘The registry key HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal ServicesfDenyTSConnections is set to 0 that will enable remote access to the system using Remote Desktop.’
  • [T1562.004] Impair Defenses: Disable or Modify System Firewall -‘This scenario creates a new firewall rule using the netsh advfirewall utility to open local port 3389 for inbound access.’
  • [T1021.001] Remote Desktop Protocol -‘This scenario will attempt to move laterally to another previously discovered host through Remote Desktop Protocol (RDP).’
  • [T1562.009] Impair Defenses: Safe Mode Boot -‘This scenario will attempt, through the registry, to force the initialization of a service if the system is started in SafeBoot mode.’
  • [T1562.001] Impair Defenses: Disable or Modify Tools -‘This scenario uses PowerShell to set the DisableAntiSpyware registry key that will prevent Microsoft Defender from running after the next reboot.’
  • [T1059.001] Command and Scripting Interpreter: PowerShell -‘Adversaries may utilize PowerShell scripts and built-in PowerShell cmdlets to complete their discovery objectives.’
  • [T1105] Ingress Tool Transfer -‘This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.’
  • [T1490] Inhibit System Recovery -‘This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.’
  • [T1486] Data Encrypted for Impact -‘This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithm used by Black Basta ransomware.’

Indicators of Compromise

  • [File Name] vssadmin.exe – used to delete Volume Shadow Copies during Inhibit System Recovery; example: vssadmin.exe
  • [Account] admin – local account created during Stage 2 and added to Administrators group; example: admin
  • [Command] net user – enumerates local accounts; example: net user
  • [Command] net localgroup – adds a local user to the Administrators group; example: net localgroup
  • [API/Function] GetComputerNameA – enumerates computer name; example: GetComputerNameA
  • [API/Function] IsDebuggerPresent – detects debugger presence; example: IsDebuggerPresent
  • [Registry Key] HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal ServicesfDenyTSConnections – registry setting to enable Remote Desktop; example: …fDenyTSConnections
  • [Registry Key] HKLMSYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-TcpUserAuthentication – registry setting to disable NLA; example: …RDP-TcpUserAuthentication
  • [Encryption Algorithm] RSA-4096 + ChaCha20 – encryption used during file encryption; example: RSA-4096 + ChaCha20

Read more: https://www.attackiq.com/2024/05/17/response-to-cisa-advisory-aa24-131a/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint