Win32.Ransom.BlackBasta is a Ransomware that targets the Win32 platform. BlackBasta is a cross-platform ransomware that has been known to primarily target Windows systems. The threat actors operate as a ransomware-as-a-service bussined model where affiliates are responsible for gaining initial access to the target and the threat actors deploy the ransomware and facilitate infrastructure for further oprations. The threat actors associated with BlackBasta are known to be selective about their target organization to maximize their impact. BlackBasta has targetted critical infrastructure and Healthcare organizations in North America, Europe, and Australia. The threat actors employ double extortion attack for data recovery and data leak, the ransom is demanded in cryptocurrency. They maintain a Tor web portal to communicate with their victims and a leak site called Basta News. BlackBasta uses publicly available tools and application like SoftPerfect for network scanning, Mimikatz for credential scraping to be used for privilege escalation or exploit ZeroLogon.
Distribution strategy:
Evasion and obfuscation:
File encryption:
BlackBasta disables EDR tools using PowerShell or Backstab. After which is proceeds to delete shadow copies using vssadmin.exe. It uses ChaCha20 algorithm with an RSA-4096 public key to encrypt the files and drops th ransom note in every folder where files have been encrypted. Encryoted files have .basta as file extension.
Connection | Category | Severity | Score |
---|---|---|---|
Inbound | MALWARE | High | 82 |
Path | MD5 |
---|---|
C:\MSOCache\All Users\instructions_read_me.txt | a1a6d0c7e20ae10a8cb242dd863187a5 |
C:\PerfLogs\Admin\instructions_read_me.txt | a1a6d0c7e20ae10a8cb242dd863187a5 |
C:\PerfLogs\instructions_read_me.txt | a1a6d0c7e20ae10a8cb242dd863187a5 |
C:\Program Files (x86)\instructions_read_me.txt | a1a6d0c7e20ae10a8cb242dd863187a5 |
C:\Program Files\Common Files\instructions_read_me.txt | a1a6d0c7e20ae10a8cb242dd863187a5 |
C:\Program Files\Google\instructions_read_me.txt | a1a6d0c7e20ae10a8cb242dd863187a5 |
C:\Program Files\Internet Explorer\instructions_read_me.txt | a1a6d0c7e20ae10a8cb242dd863187a5 |
C:\Program Files\Java\instructions_read_me.txt | a1a6d0c7e20ae10a8cb242dd863187a5 |
C:\Program Files\Microsoft Analysis Services\instructions_read_me.txt | a1a6d0c7e20ae10a8cb242dd863187a5 |
C:\Program Files\Microsoft Office\instructions_read_me.txt | a1a6d0c7e20ae10a8cb242dd863187a5 |
Path | Command Line | Process Name |
---|---|---|
C:\6387929910B60005_638794BA00000001.exe | 'C:\6387929910B60005_638794BA00000001.exe' | 6387929910B60005_638794BA00000001.exe |
C:\Windows\SysWOW64\cmd.exe | C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet | cmd.exe |
C:\Windows\System32\conhost.exe | C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | conhost.exe |
C:\Windows\System32\vssadmin.exe | C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet | vssadmin.exe |
Mutex |
---|
\Sessions\1\BaseNamedObjects\ofijweiuhuewhcsaxs.mutex |
\Sessions\1\BaseNamedObjects\Local\SM0:6808:304:WilStaging_02 |
\Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_02 |