Threat Research

#StopRansomware: Black Basta | CISA

CISA

This joint FBI/CISA/HHS/MS-ISAC advisory provides a profile of Black Basta, a ransomware-as-a-service variant whose operators encrypt data, exfiltrate it, and publish stolen data on a Tor site called Basta News. It outlines initial access methods (phishing and CVE-2024-1709), the double-extortion model, healthcare sector targeting, and mitigations, urging defenders to report incidents and strengthen defenses. #BlackBasta #BastaNews

Keypoints

  • Black Basta is described as a ransomware-as-a-service (RaaS) variant with 500+ global impacts by May 2024 across multiple sectors, including Healthcare.
  • Initial access primarily relies on spearphishing and exploitation of ConnectWise CVE-2024-1709; some attacks involve abusing valid credentials.
  • The threat actor uses a double-extortion workflow: encryption plus data exfiltration, with victims directed to contact via a Tor-based Basta News site and given a 10–12 day window.
  • Reconnaissance and discovery employ tools like SoftPerfect NetScan and masquerading with innocuous file names (e.g., Intel, Dell) to evade detection.
  • Lateral movement leverages BITSAdmin, PsExec, RDP, plus remote-access tools (Splashtop, Screen Connect, Cobalt Strike beacons); PowerShell is used to disable defenses, and Backstab is deployed to disrupt EDR tooling.
  • Privilege escalation uses credential dumping tools (e.g., Mimikatz) and exploits several CVEs (ZeroLogon, NoPac, PrintNightmare) to achieve higher rights.
  • Exfiltration uses RClone to move data before encryption; ChaCha20 with RSA-4096 fully encrypts files; shadow copies are deleted to hinder recovery; ransom notes and .basta extensions are used.

MITRE Techniques

  • [T1566] Phishing – Black Basta affiliates have used spearphishing emails to obtain initial access. Quote: “Black Basta affiliates have used spearphishing emails to obtain initial access.”
  • [T1190] Exploit Public-Facing Application – Black Basta affiliates have exploited ConnectWise vulnerability CVE-2024-1709 to obtain initial access. Quote: “Starting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709 to obtain initial access.”
  • [T1078] Valid Accounts – Affiliates have been observed abusing valid credentials. Quote: “affiliates have been observed abusing valid credentials [T1078].”
  • [T1046] Network Service Scanning – SoftPerfect network scanner (netscan.exe) to conduct network scanning. Quote: “SoftPerfect network scanner (netscan.exe) to conduct network scanning.”
  • [T1036] Masquerading – Reconnaissance using innocuous file names like Intel or Dell in the root drive. Quote: “reconnaissance using utilities with innocuous file names such as Intel or Dell, left in the root drive C:.”
  • [T1059.001] PowerShell – Use of PowerShell to disable antivirus products. Quote: “PowerShell to disable antivirus products.”
  • [T1562.001] Impair Defenses – Deploying Backstab to disable EDR tooling; PowerShell usage to disable defenses. Quote: ” deployed a tool called Backstab to disable endpoint detection and response (EDR) tooling.” and “PowerShell to disable antivirus products.”
  • [T1021] Remote Services – Lateral movement using RDP and other remote-access tools (BITSAdmin, PsExec, Splashtop, Screen Connect, Cobalt Strike beacons). Quote: “Black Basta affiliates use tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol (RDP), for lateral movement.”
  • [T1567.002] Exfiltration to Cloud Storage – RClone used to facilitate data exfiltration prior to encryption. Quote: “RClone to facilitate data exfiltration prior to encryption.”
  • [T1486] Data Encrypted for Impact – ChaCha20 with RSA-4096 fully encrypts files. Quote: “a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files.”
  • [T1490] Inhibit System Recovery – Deletion of shadow copies via vssadmin. Quote: “the vssadmin.exe program to delete shadow copies.”

Indicators of Compromise

  • [Hash] File Hash – 0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298, d3683beca3a40574e5fd68d30451137e4a8bbaca8c428ebb781d565d6a70385e and 2 more hashes
  • [IP Address] Network Indicator – 66.249.66[.]18, 95.181.173[.]227 and 2 more IPs
  • [Domain] Domain Indicator – trailshop[.]net, rasapool[.]net and 2 more domains
  • [Filename] Filename Indicator – C:UsersPublicAudioJun.exe, C:WindowsDS_c1.dll and 2 more filenames

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a