Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Black Basta

blackbasta
112
Global rank
46 infographic chevron month
Month rank
46 infographic chevron week
Week rank
0
IOCs

Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.

Ransomware
Type
Unknown
Origin
1 February, 2022
First seen
16 January, 2025
Last seen

How to analyze Black Basta with ANY.RUN

Ransomware
Type
Unknown
Origin
1 February, 2022
First seen
16 January, 2025
Last seen

IOCs

IP addresses
115.247.12.66
78.141.213.249
45.134.22.54
176.10.80.37
146.70.106.61
23.106.123.13
45.89.242.2
212.30.37.227
185.163.110.124
151.236.28.34
64.52.80.212
138.199.59.52
23.29.115.172
72.252.157.37
72.12.115.15
103.246.242.230
46.176.222.241
72.76.94.52
39.44.144.182
190.252.242.214
Domains
getfnewssolutions.com
allcompanycenter.com
bigdealcenter.world
brownswer.com
stuffstevenpeters5.top
doc.docu-duplicator.com
blazingradiancesolar.com
doc1.docu-duplicator.com
crystallakehotels.com
mailh.org
posetoposeschool.com
summerrain.cloud
doc2.docu-duplicator.com
dropmeafile.com
onlylegalstuff7.top
tztwel12sb.top
rzsixt16sr.top
178-175-139-202.static.as43289.net
megatron3.top
rztwel12vt.top
Last Seen at
16 January, 2025
Malicious activity
2413841b2f5f656e269f61644d3957847b199107bb6b141c3208a03df59f0759
blackbasta
ransomware
16 January, 2025
Malicious activity
bazaar.abuse.ch
arch-exec
blackbasta
ransomware
7 January, 2025
Malicious activity
PRODOMAX_c.exe
blackbasta
ransomware
stealer
18 December, 2024
Malicious activity
bazaar.abuse.ch
arch-exec
blackbasta
ransomware
stealer
5 December, 2024
Malicious activity
BlackBasta_03.bin
blackbasta
ransomware
30 November, 2024
Malicious activity
BlackBasta_03.bin.exe
blackbasta
ransomware
30 November, 2024
Malicious activity
BlackBasta_03.bin
blackbasta
ransomware
30 November, 2024
Malicious activity
BlackBasta_03.bin
blackbasta
ransomware
22 November, 2024
Malicious activity
05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431
blackbasta
ransomware
22 November, 2024
No threats detected
05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431
blackbasta
ransomware
TRACK THEM ALL AT
Public Submissions
Last Seen at
16 January, 2025
Malicious activity
2413841b2f5f656e269f61644d3957847b199107bb6b141c3208a03df59f0759
blackbasta
ransomware
16 January, 2025
Malicious activity
bazaar.abuse.ch
arch-exec
blackbasta
ransomware
7 January, 2025
Malicious activity
PRODOMAX_c.exe
blackbasta
ransomware
stealer
18 December, 2024
Malicious activity
bazaar.abuse.ch
arch-exec
blackbasta
ransomware
stealer
5 December, 2024
Malicious activity
BlackBasta_03.bin
blackbasta
ransomware
30 November, 2024
Malicious activity
BlackBasta_03.bin.exe
blackbasta
ransomware
30 November, 2024
Malicious activity
BlackBasta_03.bin
blackbasta
ransomware
30 November, 2024
Malicious activity
BlackBasta_03.bin
blackbasta
ransomware
22 November, 2024
Malicious activity
05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431
blackbasta
ransomware
22 November, 2024
No threats detected
05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431
blackbasta
ransomware
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
Malware Trends Overview Report: 2024
watchers 4958
comments 0
post image
YARA Rules: Cyber Threat Detection Tool for M...
watchers 680
comments 0
post image
Threat Intelligence Pivoting: Actionable Insi...
watchers 557
comments 0

Contents

  • What is Black Basta ransomware?
  • Black Basta ransomware execution process
  • Black Basta malware technical details
  • Black Basta malware distribution methods
  • Conclusion

Recent blog posts

post image
Malware Trends Overview Report: 2024
watchers 4958
comments 0
post image
YARA Rules: Cyber Threat Detection Tool for M...
watchers 680
comments 0
post image
Threat Intelligence Pivoting: Actionable Insi...
watchers 557
comments 0

What is Black Basta ransomware?

Black Basta is a malware that falls under the category of ransomware-as-a-service (RaaS). This software is operated by the cybercrime group known as Storm-1811. First detected in 2022, Black Basta has gained attention for its tactics.

The strategy of Black Basta involves double extortion. Unlike traditional ransomware that only encrypts the victim's data, Black Basta also steals it. This dual threat strategy involves demanding a ransom for both the decryption of the data and the non-disclosure of the stolen information. The ransom demands can reach up to $2 million.

The operators of Black Basta set up a website where they publish information about their victims. This site also serves as a platform for leaking data of those who refuse to pay the ransom.

One of the first victims of Black Basta was the American Dental Association, an organization with over 100,000 members. The attack led to a partial shutdown of their infrastructure.

In their attacks, the operators of Black Basta have used QakBot as a means of initially breaching target systems. This tactic allows them to gain a foothold in the system, subsequently deploying the ransomware to encrypt and steal data. The use of QakBot underscores the complexity of the Black Basta attacks.

Black Basta ransomware execution process

To prevent Black Basta infection, it is important to proactively upload all suspicious files and links to the ANY.RUN sandbox. Here is an example of a malicious Black Basta sample, exposed by the service. Let’s break down the entire infection chain step by step:

Step 1: Black Basta can gain initial access through compromised credentials or be delivered to the system by other malware like Qbot.

Step 2: Black Basta then gathers information about the compromised system.

Step 3: The malware operators use tools like PsExec, Windows Management Instrumentation (WMI), and RDP to move across the network and infect other systems.

Step 4: Before deploying the ransomware, sensitive data is exfiltrated using tools like Cobeacon.

BlackBasta wallpaper in ANY.RUN BlackBasta wallpaper in ANY.RUN sandbox

Step 5: As mentioned, Black Basta samples can employ different versions of encryption. One of them is a hybrid encryption scheme combining ChaCha20 for file encryption with RSA-4096 for encrypting the encryption key.
BlackBasta ransom note in ANY.RUN BlackBasta ransom note in ANY.RUN sandbox

Step 6: A note is displayed on the victim's screen, and a text file with details on how to pay the ransom for decryption.

Step 7: To prevent recovery, Black Basta deletes shadow copies using commands like vssadmin.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Black Basta malware technical details

Black Basta employs a range of technical tactics to infiltrate and manipulate target systems. One common method involves hijacking the legitimate system process 'Fax'. The malware deletes the process first, then creates a new registry path to gain elevated privileges within the system.

Once it has infiltrated the system, Black Basta deletes Windows shadow copies via 'vssadmin'. It then changes the wallpaper to announce that the user's computer has been infected by the Black Basta group. Following this, the system is restarted in safe mode.

To bypass system defenses, the malware uses PowerShell to disable active antivirus software. Earlier versions of Black Basta used the ChaCha20 encryption algorithm, later switching to XChaCha20. The malware adds the '.basta' extension to the affected files, indicating their encryption.

Instructions for the victim's further actions are provided in text documents. These documents contain a Tor address and a unique ID for the victim to log in on the website.

As mentioned, many Black Basta attacks have been known to start with QakBot. This is done to establish an initial foothold on the system to then deliver the ransomware. Such attacks begin with the victim unsuspectingly downloading an Excel document with macros. The attack then leads to the malware download and installation process.

The operators of Black Basta also employ Cobalt Strike as a means of scanning the system. This tool allows them to gather information about the target system, identify vulnerabilities, and tailor their attacks accordingly.

The newer versions of the malware, emerging in 2023, utilize advanced obfuscation techniques to evade detection. The malware can also modify the registry to run automatically upon system startup.

Black Basta can also collect credentials stored on the system, further compromising system security.

The latest variants of Black Basta exploit the CVE-2024-1709 vulnerability. The malware is capable of performing lateral movement via tools like PsExec and Cobalt Strike, spreading the infection across the network.

In addition to these tactics, the attackers have started using Quick Assist, a legitimate program for remote connection, as part of their social engineering attacks. This tool allows them to gain remote access to the victim's system, further facilitating the malware's activities.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Black Basta malware distribution methods

Black Basta operators often get into systems by using compromised login information. To do this, they work with Initial Access Brokers (IABs), selling access to already hacked networks. In return, they receive a share of the profits.

Many Black Basta attacks also begin with spear-phishing campaigns. These campaigns involve sending targeted emails to victims, often disguised as legitimate correspondence. The emails typically contain malicious attachments or links, which, when clicked or downloaded, initiate the malware infection process.

The latest attacks featuring Black Basta also include vishing, or voice phishing. This involves the impersonation of tech support or help desk personnel. The attackers use Quick Assist, a legitimate remote access tool, to trick users into entering a code provided by the attackers. This code allows the attackers to establish remote control over the victim's computer, subsequently downloading malicious files onto the host system.

Conclusion

Black Basta's double extortion, concealment, and abuse of system vulnerabilities make it a significant threat for organizations worldwide. To keep safe from ransomware, it's crucial to adopt suitable cybersecurity practices, including employing a sandbox for analyzing malware.

ANY.RUN's interactive sandbox offers various tools that make malware analysis simpler and faster. It can:

  • Discover threats in files and URLs in less than 40 seconds.
  • Allow direct interaction with the samples and system, similar to a standard computer.
  • Provide Windows and Linux virtual machines to fit your specific needs.
  • Generate in-depth reports describing the threats found.
  • Reveal all malicious activities related to the network, registry, files, and processes.

Create your FREE ANY.RUN account today!

HAVE A LOOK AT

Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More