Black Basta: New findings on the notorious ransomware
by Tina Siering
New analysis results: What makes Black Basta so dangerous
The Black Basta ransomware first appeared on the scene in April 2022 and has since spread at breakneck speed. By September 2022, the malware had compromised the networks of over 90 organizations.
Now, research lab SentinelLabs has published a report with new analysis and findings on Black Basta. The security researchers had started tracking Black Basta's activities in early June 2022 after noticing overlaps in ostensibly different cases.
According to the report, the high number of Black Basta ransomware attacks in such a short period of time suggests that the cybercriminals behind the extortion software are very well organized and equipped. But there is currently no evidence that the actors are recruiting partners or offering the ransomware on crimeware marketplaces or darknet forums as Ransomware as a Service (RaaS), he said.
Rather, SentinelLabs security researchers have found that black basta hackers develop and maintain their own toolkit. They either operate entirely without partners or work only with a limited number of confidants. This behavior is highly reminiscent of other private and highly aggressive ransomware groups such as Conti, Evilcorp, or TA505.
Given the similarities in code and deployment methods of the malware (attackers use custom EDR evasion tools), SentinelLabs analysts believe that the actors behind the black basta malware are the same ones who provided the packer source code used in FIN7 attacks. This suggests a possible connection between the two hacker groups. FIN7 is considered a pioneer in the cybercrime scene and has made a name for itself with its attacks on banks and PoS systems. The complexity of its attacks exceeds that of its peers.
Black Basta: These TTPs are used by cybercriminals
The SentinelLabs report includes a detailed analysis of Black Basta's operational TTPs. TTP is short for Tactics, Techniques and Procedures. In other words, it refers to the strategies, methods and processes that the hackers use to achieve their goals. These are the results:
Initial access activities
As the researchers report, the first compromises were with the "QakBot" malware. This malware was distributed via phishing emails that contained macro-based MS Office documents, ISO+LNK files, and .docx documents. These malicious files exploit the MSDTC vulnerability CVE-2022-30190 for remote code execution.
Update on ISO+LNK files (as of 11/16/2022): The latest patchday updates from Microsoft also fix the vulnerability related to the Mark-of-the-Web (MotW) security feature (CVE-2022-41091). Previously, when an ISO attachment was opened and the included LNK file was double-clicked, it was automatically executed without Windows displaying a security warning. After installing the security update, Windows now transfers the mark-of-the-Web flag from the ISO file to all contents, and a security warning is properly displayed when the LNK file is launched.
Reconnaissance phase (information gathering)
Once the attackers connect to the victim's network using black-baiting through the QakBot backdoor, manual reconnaissance takes place. For this, the hackers make use of reconnaissance programs provided on the system drive C:\ in a directory with misleading names such as "Intel" or "Dell". The first step of a Black Basta compromise usually involves running an obfuscated version of AdFind. This stage also often involves loading two custom, unobfuscated .NET assemblies into memory to perform various information-gathering tasks.
Privilege Escalation
After the Reconnaissance phase, Black Basta attempts to escalate privileges at the local and domain level through a variety of exploits. According to the researchers, ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42287, CVE-2021-42278) and PrintNightmare (CVE-2021-34527) are used.
Remote Administration Tools
The Black Basta group uses a number of remote administration tools (RAT). The attackers drop a self-extracting archive that contains all the files required to run the Netsupport Manager application. In addition, analysts observed the use of Splashtop, GoToAssist, Atera Agent as well as SystemBC, which was used by various hackers as a SOCKS5 TOR proxy for communication, data exfiltration and downloading malicious modules.
Weakening defenses
The Black Basta group uses different methods of (lateral) lateral movement and deploys various batch scripts to automate the termination of processes and services and weaken defenses. Using an exclusive custom tool, they disable Microsoft Defender Antivirus, perfectly spoofing the view in the graphical user interface (GUI) and continuing to fool the user into thinking that the system status is fine using green check marks.
source: SentinelOne
How to protect your organization from the Black Basta threat
- Endpoint protection
More than 80 percent of all cyberattacks target endpoints such as smartphones, notebooks or workstations. That's why you should deploy an Endpoint Protection Platform (EPP) that preemptively protects endpoints from malware. It blocks known malware at the point of entry using built-in protections such as firewall and IPS capabilities, as well as signature-based malware defenses.
- Managed detection and response solutions
A managed detection and response (MDR) solution can effectively protect your organization even after malware has been successfully placed and activated on the network. MDR solutions such as Allgeier secion's Active Cyber Defense (ACD) service proactively and continuously scan the corporate network for anomalies so that malicious command-and-control communications are detected early. If action is required in the event of a compromise, Allgeier secion's ACD team informs your IT team immediately. This enables you to avert damage from attackers in good time.
The 24/7 Full Managed Service thus acts as an early warning system that actively, proactively and permanently secures your corporate network. All systems within your network are included in the monitoring - in addition to desktops and servers, for example, also laptops, cell phones and tablets as well as network devices, printers, IoT, ICS and BYOD. There is no need to install agents on clients to use the ACD solution. It checks at the network level to see if systems are communicating to command-and-control servers and are therefore compromised.
- IR Readiness Program
With Incident Response (IR) Readiness, you are optimally prepared for an emergency and ensure that you have adequate resources and competencies to recognize signs of a cyber attack at an early stage and respond quickly. For this purpose, a defense strategy tailored to your company is developed and - based on this - technical and organizational measures are derived. Allgeier secion's cyber security consultants will review your existing cyber security incident identification strategy and help you provide the necessary tools to optimally manage a security incident.
Conclusion
Black Basta is a serious ransomware hacking group that has attacked numerous organizations in just a few months. Among their most prominent victims are the car rental company Sixt and the German Press Agency (dpa). By publishing sensitive data on the darknet, the perpetrators blackmail their victims with ransoms in the millions. Security researchers see parallels in the approach to other successful cybercrime gangs such as Conti and FIN7.
With organizations and businesses worldwide facing attacks from the Black Basta group, proactive protection measures are now required, such as effective cyber threat hunting tools. Security experts therefore advise managed detection and response (MDR) solutions such as Allgeier secion's Active Cyber Defense (ACD) service.
Allgeier secion's security analysts monitor the IT infrastructure around the clock and provide immediate information when action is required. Suspected cases are identified immediately after the system has been compromised and incident response measures can be initiated in a targeted and timely manner - before any damage occurs.
Need help upgrading your IT security for 2022? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.