BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Black Basta

blackbasta
109
Global rank
54 infographic chevron month
Month rank
117 infographic chevron week
Week rank
0
IOCs

Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.

Ransomware
Type
Unknown
Origin
1 February, 2022
First seen
6 November, 2024
Last seen

How to analyze Black Basta with ANY.RUN

Ransomware
Type
Unknown
Origin
1 February, 2022
First seen
6 November, 2024
Last seen

IOCs

IP addresses
115.247.12.66
78.141.213.249
146.70.106.61
176.10.80.37
146.70.86.44
45.134.22.54
45.89.242.2
212.30.37.227
151.236.28.34
64.52.80.212
23.106.123.13
138.199.59.52
185.163.110.124
23.29.115.172
24.178.196.44
217.128.122.16
190.252.242.214
72.76.94.52
113.89.5.177
103.246.242.230
Domains
megatron3.top
greenmotors6.top
rzelev11ht.top
gift4animals.com
danimos.com
rzfift15ht.top
rzeight8sb.top
rzninet19pt.top
databasebb5.top
qr-send.com
startuptechnologyw.net
greenmotors5.top
megatron4.top
greenmotors2.top
rzfourt14vt.top
rzsevt17pt.top
rzninet19sr.top
rzeight18sr.top
onlylegalstuff7.top
blockcentersys.net
Last Seen at
6 November, 2024
Malicious activity
BlackBasta_02.bin
blackbasta
ransomware
6 November, 2024
Malicious activity
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e
blackbasta
ransomware
6 November, 2024
Malicious activity
BlackBasta_02.bin
blackbasta
ransomware
stealer
29 October, 2024
Malicious activity
BlackBasta_02.bin
blackbasta
ransomware
stealer
28 October, 2024
Malicious activity
BlackBasta_02.bin
blackbasta
ransomware
stealer
27 October, 2024
Malicious activity
1354254499b2e3353708747d36c334074f40c1f726ea7590384f2192c972f8c3.exe
blackbasta
ransomware
stealer
15 October, 2024
Malicious activity
CMC_X.exe
api-base64
blackbasta
ransomware
1 October, 2024
Malicious activity
BlackBasta_02.exe
blackbasta
ransomware
25 September, 2024
Malicious activity
df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415.exe
api-base64
blackbasta
ransomware
25 September, 2024
Malicious activity
df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415.exe
api-base64
blackbasta
ransomware
TRACK THEM ALL AT
Public Submissions
Last Seen at
6 November, 2024
Malicious activity
BlackBasta_02.bin
blackbasta
ransomware
6 November, 2024
Malicious activity
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e
blackbasta
ransomware
6 November, 2024
Malicious activity
BlackBasta_02.bin
blackbasta
ransomware
stealer
29 October, 2024
Malicious activity
BlackBasta_02.bin
blackbasta
ransomware
stealer
28 October, 2024
Malicious activity
BlackBasta_02.bin
blackbasta
ransomware
stealer
27 October, 2024
Malicious activity
1354254499b2e3353708747d36c334074f40c1f726ea7590384f2192c972f8c3.exe
blackbasta
ransomware
stealer
15 October, 2024
Malicious activity
CMC_X.exe
api-base64
blackbasta
ransomware
1 October, 2024
Malicious activity
BlackBasta_02.exe
blackbasta
ransomware
25 September, 2024
Malicious activity
df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415.exe
api-base64
blackbasta
ransomware
25 September, 2024
Malicious activity
df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415.exe
api-base64
blackbasta
ransomware
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
6 Common Persistence Mechanisms in Malware
watchers 334
comments 0
post image
Automated Interactivity: Stage 2
watchers 2192
comments 0
post image
HawkEye Malware: Technical Analysis
watchers 3159
comments 0

Contents

  • What is Black Basta ransomware?
  • Black Basta ransomware execution process
  • Black Basta malware technical details
  • Black Basta malware distribution methods
  • Conclusion

Recent blog posts

post image
6 Common Persistence Mechanisms in Malware
watchers 334
comments 0
post image
Automated Interactivity: Stage 2
watchers 2192
comments 0
post image
HawkEye Malware: Technical Analysis
watchers 3159
comments 0

What is Black Basta ransomware?

Black Basta is a malware that falls under the category of ransomware-as-a-service (RaaS). This software is operated by the cybercrime group known as Storm-1811. First detected in 2022, Black Basta has gained attention for its tactics.

The strategy of Black Basta involves double extortion. Unlike traditional ransomware that only encrypts the victim's data, Black Basta also steals it. This dual threat strategy involves demanding a ransom for both the decryption of the data and the non-disclosure of the stolen information. The ransom demands can reach up to $2 million.

The operators of Black Basta set up a website where they publish information about their victims. This site also serves as a platform for leaking data of those who refuse to pay the ransom.

One of the first victims of Black Basta was the American Dental Association, an organization with over 100,000 members. The attack led to a partial shutdown of their infrastructure.

In their attacks, the operators of Black Basta have used QakBot as a means of initially breaching target systems. This tactic allows them to gain a foothold in the system, subsequently deploying the ransomware to encrypt and steal data. The use of QakBot underscores the complexity of the Black Basta attacks.

Black Basta ransomware execution process

To prevent Black Basta infection, it is important to proactively upload all suspicious files and links to the ANY.RUN sandbox. Here is an example of a malicious Black Basta sample, exposed by the service. Let’s break down the entire infection chain step by step:

Step 1: Black Basta can gain initial access through compromised credentials or be delivered to the system by other malware like Qbot.

Step 2: Black Basta then gathers information about the compromised system.

Step 3: The malware operators use tools like PsExec, Windows Management Instrumentation (WMI), and RDP to move across the network and infect other systems.

Step 4: Before deploying the ransomware, sensitive data is exfiltrated using tools like Cobeacon.

BlackBasta wallpaper in ANY.RUN BlackBasta wallpaper in ANY.RUN sandbox

Step 5: As mentioned, Black Basta samples can employ different versions of encryption. One of them is a hybrid encryption scheme combining ChaCha20 for file encryption with RSA-4096 for encrypting the encryption key.
BlackBasta ransom note in ANY.RUN BlackBasta ransom note in ANY.RUN sandbox

Step 6: A note is displayed on the victim's screen, and a text file with details on how to pay the ransom for decryption.

Step 7: To prevent recovery, Black Basta deletes shadow copies using commands like vssadmin.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Black Basta malware technical details

Black Basta employs a range of technical tactics to infiltrate and manipulate target systems. One common method involves hijacking the legitimate system process 'Fax'. The malware deletes the process first, then creates a new registry path to gain elevated privileges within the system.

Once it has infiltrated the system, Black Basta deletes Windows shadow copies via 'vssadmin'. It then changes the wallpaper to announce that the user's computer has been infected by the Black Basta group. Following this, the system is restarted in safe mode.

To bypass system defenses, the malware uses PowerShell to disable active antivirus software. Earlier versions of Black Basta used the ChaCha20 encryption algorithm, later switching to XChaCha20. The malware adds the '.basta' extension to the affected files, indicating their encryption.

Instructions for the victim's further actions are provided in text documents. These documents contain a Tor address and a unique ID for the victim to log in on the website.

As mentioned, many Black Basta attacks have been known to start with QakBot. This is done to establish an initial foothold on the system to then deliver the ransomware. Such attacks begin with the victim unsuspectingly downloading an Excel document with macros. The attack then leads to the malware download and installation process.

The operators of Black Basta also employ Cobalt Strike as a means of scanning the system. This tool allows them to gather information about the target system, identify vulnerabilities, and tailor their attacks accordingly.

The newer versions of the malware, emerging in 2023, utilize advanced obfuscation techniques to evade detection. The malware can also modify the registry to run automatically upon system startup.

Black Basta can also collect credentials stored on the system, further compromising system security.

The latest variants of Black Basta exploit the CVE-2024-1709 vulnerability. The malware is capable of performing lateral movement via tools like PsExec and Cobalt Strike, spreading the infection across the network.

In addition to these tactics, the attackers have started using Quick Assist, a legitimate program for remote connection, as part of their social engineering attacks. This tool allows them to gain remote access to the victim's system, further facilitating the malware's activities.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Black Basta malware distribution methods

Black Basta operators often get into systems by using compromised login information. To do this, they work with Initial Access Brokers (IABs), selling access to already hacked networks. In return, they receive a share of the profits.

Many Black Basta attacks also begin with spear-phishing campaigns. These campaigns involve sending targeted emails to victims, often disguised as legitimate correspondence. The emails typically contain malicious attachments or links, which, when clicked or downloaded, initiate the malware infection process.

The latest attacks featuring Black Basta also include vishing, or voice phishing. This involves the impersonation of tech support or help desk personnel. The attackers use Quick Assist, a legitimate remote access tool, to trick users into entering a code provided by the attackers. This code allows the attackers to establish remote control over the victim's computer, subsequently downloading malicious files onto the host system.

Conclusion

Black Basta's double extortion, concealment, and abuse of system vulnerabilities make it a significant threat for organizations worldwide. To keep safe from ransomware, it's crucial to adopt suitable cybersecurity practices, including employing a sandbox for analyzing malware.

ANY.RUN's interactive sandbox offers various tools that make malware analysis simpler and faster. It can:

  • Discover threats in files and URLs in less than 40 seconds.
  • Allow direct interaction with the samples and system, similar to a standard computer.
  • Provide Windows and Linux virtual machines to fit your specific needs.
  • Generate in-depth reports describing the threats found.
  • Reveal all malicious activities related to the network, registry, files, and processes.

Create your FREE ANY.RUN account today!

HAVE A LOOK AT

Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More