BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Black Basta

107
Global rank
59 infographic chevron month
Month rank
30 infographic chevron week
Week rank
0
IOCs

Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.

Ransomware
Type
Unknown
Origin
1 February, 2022
First seen
29 October, 2024
Last seen

How to analyze Black Basta with ANY.RUN

Type
Unknown
Origin
1 February, 2022
First seen
29 October, 2024
Last seen

IOCs

IP addresses
115.247.12.66
212.30.37.227
45.89.242.2
176.10.80.37
45.134.22.54
78.141.213.249
151.236.28.34
146.70.106.61
138.199.59.52
23.106.123.13
194.5.53.86
64.52.80.212
185.163.110.124
146.70.86.44
23.29.115.172
72.252.157.37
72.12.115.15
103.246.242.230
46.176.222.241
39.44.144.182
Domains
l1ve.qr-s1.com
companyname.qr-s1.com
qr-s1.com
supportserviceadmin.onmicrosoft.com
supportadministrator.onmicrosoft.com
qr-s3.com
cybersecurityadmin.onmicrosoft.com
supportadminstrator.onmicrosoft.com
qr-s2.com
securityadminhelper.onmicrosoft.com
qr-s4.com
hessetechnology.com
companymartec.com
stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion
modernbee.net
trailc.company.com
coxfixed.com
kekeoamigo.com
recentbee.net
specialdrills.com
Last Seen at

Recent blog posts

post image
How TI Feeds Support Organizational Performan...
watchers 123
comments 0
post image
Recent Cyber Attacks Discovered by ANY.RUN: O...
watchers 407
comments 0
post image
Notifications in Threat Intelligence Lookup 
watchers 881
comments 0

What is Black Basta ransomware?

Black Basta is a malware that falls under the category of ransomware-as-a-service (RaaS). This software is operated by the cybercrime group known as Storm-1811. First detected in 2022, Black Basta has gained attention for its tactics.

The strategy of Black Basta involves double extortion. Unlike traditional ransomware that only encrypts the victim's data, Black Basta also steals it. This dual threat strategy involves demanding a ransom for both the decryption of the data and the non-disclosure of the stolen information. The ransom demands can reach up to $2 million.

The operators of Black Basta set up a website where they publish information about their victims. This site also serves as a platform for leaking data of those who refuse to pay the ransom.

One of the first victims of Black Basta was the American Dental Association, an organization with over 100,000 members. The attack led to a partial shutdown of their infrastructure.

In their attacks, the operators of Black Basta have used QakBot as a means of initially breaching target systems. This tactic allows them to gain a foothold in the system, subsequently deploying the ransomware to encrypt and steal data. The use of QakBot underscores the complexity of the Black Basta attacks.

Black Basta ransomware execution process

To prevent Black Basta infection, it is important to proactively upload all suspicious files and links to the ANY.RUN sandbox. Here is an example of a malicious Black Basta sample, exposed by the service. Let’s break down the entire infection chain step by step:

Step 1: Black Basta can gain initial access through compromised credentials or be delivered to the system by other malware like Qbot.

Step 2: Black Basta then gathers information about the compromised system.

Step 3: The malware operators use tools like PsExec, Windows Management Instrumentation (WMI), and RDP to move across the network and infect other systems.

Step 4: Before deploying the ransomware, sensitive data is exfiltrated using tools like Cobeacon.

BlackBasta wallpaper in ANY.RUN BlackBasta wallpaper in ANY.RUN sandbox

Step 5: As mentioned, Black Basta samples can employ different versions of encryption. One of them is a hybrid encryption scheme combining ChaCha20 for file encryption with RSA-4096 for encrypting the encryption key.
BlackBasta ransom note in ANY.RUN BlackBasta ransom note in ANY.RUN sandbox

Step 6: A note is displayed on the victim's screen, and a text file with details on how to pay the ransom for decryption.

Step 7: To prevent recovery, Black Basta deletes shadow copies using commands like vssadmin.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Black Basta malware technical details

Black Basta employs a range of technical tactics to infiltrate and manipulate target systems. One common method involves hijacking the legitimate system process 'Fax'. The malware deletes the process first, then creates a new registry path to gain elevated privileges within the system.

Once it has infiltrated the system, Black Basta deletes Windows shadow copies via 'vssadmin'. It then changes the wallpaper to announce that the user's computer has been infected by the Black Basta group. Following this, the system is restarted in safe mode.

To bypass system defenses, the malware uses PowerShell to disable active antivirus software. Earlier versions of Black Basta used the ChaCha20 encryption algorithm, later switching to XChaCha20. The malware adds the '.basta' extension to the affected files, indicating their encryption.

Instructions for the victim's further actions are provided in text documents. These documents contain a Tor address and a unique ID for the victim to log in on the website.

As mentioned, many Black Basta attacks have been known to start with QakBot. This is done to establish an initial foothold on the system to then deliver the ransomware. Such attacks begin with the victim unsuspectingly downloading an Excel document with macros. The attack then leads to the malware download and installation process.

The operators of Black Basta also employ Cobalt Strike as a means of scanning the system. This tool allows them to gather information about the target system, identify vulnerabilities, and tailor their attacks accordingly.

The newer versions of the malware, emerging in 2023, utilize advanced obfuscation techniques to evade detection. The malware can also modify the registry to run automatically upon system startup.

Black Basta can also collect credentials stored on the system, further compromising system security.

The latest variants of Black Basta exploit the CVE-2024-1709 vulnerability. The malware is capable of performing lateral movement via tools like PsExec and Cobalt Strike, spreading the infection across the network.

In addition to these tactics, the attackers have started using Quick Assist, a legitimate program for remote connection, as part of their social engineering attacks. This tool allows them to gain remote access to the victim's system, further facilitating the malware's activities.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Black Basta malware distribution methods

Black Basta operators often get into systems by using compromised login information. To do this, they work with Initial Access Brokers (IABs), selling access to already hacked networks. In return, they receive a share of the profits.

Many Black Basta attacks also begin with spear-phishing campaigns. These campaigns involve sending targeted emails to victims, often disguised as legitimate correspondence. The emails typically contain malicious attachments or links, which, when clicked or downloaded, initiate the malware infection process.

The latest attacks featuring Black Basta also include vishing, or voice phishing. This involves the impersonation of tech support or help desk personnel. The attackers use Quick Assist, a legitimate remote access tool, to trick users into entering a code provided by the attackers. This code allows the attackers to establish remote control over the victim's computer, subsequently downloading malicious files onto the host system.

Conclusion

Black Basta's double extortion, concealment, and abuse of system vulnerabilities make it a significant threat for organizations worldwide. To keep safe from ransomware, it's crucial to adopt suitable cybersecurity practices, including employing a sandbox for analyzing malware.

ANY.RUN's interactive sandbox offers various tools that make malware analysis simpler and faster. It can:

  • Discover threats in files and URLs in less than 40 seconds.
  • Allow direct interaction with the samples and system, similar to a standard computer.
  • Provide Windows and Linux virtual machines to fit your specific needs.
  • Generate in-depth reports describing the threats found.
  • Reveal all malicious activities related to the network, registry, files, and processes.

Create your FREE ANY.RUN account today!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More