Threat Library

Win32.Ransom.BlackBasta

Last updated: April 28th, 2022

Win32.Ransom.BlackBasta is a Ransomware that targets the Win32 platform. BlackBasta is a cross-platform ransomware that has been known to primarily target Windows systems. The threat actors operate as a ransomware-as-a-service bussined model where affiliates are responsible for gaining initial access to the target and the threat actors deploy the ransomware and facilitate infrastructure for further oprations. The threat actors associated with BlackBasta are known to be selective about their target organization to maximize their impact. BlackBasta has targetted critical infrastructure and Healthcare organizations in North America, Europe, and Australia. The threat actors employ double extortion attack for data recovery and data leak, the ransom is demanded in cryptocurrency. They maintain a Tor web portal to communicate with their victims and a leak site called Basta News. BlackBasta uses publicly available tools and application like SoftPerfect for network scanning, Mimikatz for credential scraping to be used for privilege escalation or exploit ZeroLogon.

Distribution strategy:

  • Phishing leading to malicious file downloads
  • Exploiting vulnerable application like ConnectWise
  • Some instances report uses of Qakbot for initial access

Evasion and obfuscation:

  • PowerShell to disable antivirus products
  • Custom tool called Backstab to disable EDR tools

File encryption:

BlackBasta disables EDR tools using PowerShell or Backstab. After which is proceeds to delete shadow copies using vssadmin.exe. It uses ChaCha20 algorithm with an RSA-4096 public key to encrypt the files and drops th ransom note in every folder where files have been encrypted. Encryoted files have .basta as file extension.

Engine: File Reputation
Product:ZIA, ZPA + ZIA
Detection Details:
ConnectionCategorySeverityScore
InboundMALWAREHigh82
Sandbox Activity:
The following files were dropped by the malware during its execution:
PathMD5
C:\MSOCache\All Users\instructions_read_me.txta1a6d0c7e20ae10a8cb242dd863187a5
C:\PerfLogs\Admin\instructions_read_me.txta1a6d0c7e20ae10a8cb242dd863187a5
C:\PerfLogs\instructions_read_me.txta1a6d0c7e20ae10a8cb242dd863187a5
C:\Program Files (x86)\instructions_read_me.txta1a6d0c7e20ae10a8cb242dd863187a5
C:\Program Files\Common Files\instructions_read_me.txta1a6d0c7e20ae10a8cb242dd863187a5
C:\Program Files\Google\instructions_read_me.txta1a6d0c7e20ae10a8cb242dd863187a5
C:\Program Files\Internet Explorer\instructions_read_me.txta1a6d0c7e20ae10a8cb242dd863187a5
C:\Program Files\Java\instructions_read_me.txta1a6d0c7e20ae10a8cb242dd863187a5
C:\Program Files\Microsoft Analysis Services\instructions_read_me.txta1a6d0c7e20ae10a8cb242dd863187a5
C:\Program Files\Microsoft Office\instructions_read_me.txta1a6d0c7e20ae10a8cb242dd863187a5
The following processes were spawned by the malware during its execution:
PathCommand LineProcess Name
C:\6387929910B60005_638794BA00000001.exe'C:\6387929910B60005_638794BA00000001.exe'6387929910B60005_638794BA00000001.exe
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietcmd.exe
C:\Windows\System32\conhost.exeC:\Windows\system32\conhost.exe 0xffffffff -ForceV1conhost.exe
C:\Windows\System32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietvssadmin.exe
Mutexes used by the malware:
Mutex
\Sessions\1\BaseNamedObjects\ofijweiuhuewhcsaxs.mutex
\Sessions\1\BaseNamedObjects\Local\SM0:6808:304:WilStaging_02
\Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_02