Ransomware Attack (Black Basta)

Introduction: This analysis focuses on the Black Basta ransomware, which emerged in early 2022 as an evolution of the Hermes/Ryuk/Conti families. Heavily promoted in underground cybercrime markets, Black Basta employs double extortion tactics, demanding payment for a decryptor and the non-release of stolen data. Notably, it has Windows and Linux variants.
Targeted Sectors: Black Basta does not discriminate across industries, targeting healthcare, government, financial services, education, and media. However, targeting within the Commonwealth of Independent States (CIS) is discouraged.
Attack Techniques: Deployed via Cobalt Strike or similar frameworks and email phishing, Black Basta is often delivered as a secondary infection following a Qakbot infection. Initial infections occur through various means, including macro-based MS Office documents, ISO+LNK droppers, and .docx documents exploiting the MSDTC remote code execution vulnerability (CVE-2022-30190).
Technical Characteristics: Black Basta exhibits versatile characteristics, utilizing Qakbot for manual reconnaissance. Reconnaissance utilities are staged with deceptive names like “Intel” or “Dell” in the root drive C:. The ransomware uses SoftPerfect network scanner (netscan.exe) for network scanning and leverages WMI service to enumerate installed security solutions. It takes steps to disable endpoint security products before initiating encryption.
Beyond reconnaissance, Black Basta attempts privilege escalation through various exploits, including ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42287, CVE-2021-42278), and PrintNightmare (CVE-2021-34527). Custom scripts and tools are employed within their campaigns.
Detection Strategies: EDR is capable of identifying and preventing malicious activities associated with Black Basta. For organizations without this specific security solution, detection can be achieved through a multi-layered approach:

Security Tools: Utilize anti-malware software or security tools capable of detecting and blocking known ransomware variants, using signatures, heuristics, or machine learning algorithms.
Network Traffic Monitoring: Regularly monitor network traffic for indicators of compromise, such as unusual patterns or communication with known command-and-control servers.
Security Audits: Conduct routine security audits to identify vulnerabilities and ensure proper functioning of security controls.
Education & Training: Educate employees on cybersecurity best practices, emphasizing the recognition and reporting of suspicious emails or potential threats.
Backup & Recovery Planning: Implement a robust backup and recovery plan to restore data in the event of an attack.

Mitigation Measures: , the following steps can help mitigate the risk of Black Basta ransomware attacks:

Employee Education: Train employees to recognize and avoid phishing emails and malicious attachments. Encourage reporting of suspicious content.
Strong Passwords: Implement strong, unique passwords for user accounts, regularly updating and rotating them.
Multi-Factor Authentication (MFA): Enable MFA for user accounts to enhance security through an additional layer of authentication.
System Updates and Patching: Regularly update and patch systems to address vulnerabilities and prevent exploitation.
Backup and Disaster Recovery (BDR): Establish regular BDR processes, creating and testing backups stored in secure, offsite locations for quick recovery.

A comprehensive approach is crucial, combining awareness, preventive measures, and recovery strategies to safeguard against ransomware threats like Black Basta.

Back