[German]The Black Basta ransomware group is, after all, quite active in spreading its malware and extorting companies. Security researchers from Palo Alto Networks' malware analysis team, from Unit 42, have taken a closer look at the group's activities. Palo Alto Networks has published a report that provides details about the Black Basta ransomware group, which first appeared in April 2022 and has been on the rise ever since.
Advertising
Who is Black Basta?
Black Basta is a Ransomware as a Service (RaaS) that first appeared in April 2022. However, there are indications that it has been in development since February. Black Basta's operators use a double extortion technique. Not only do they encrypt files on the attack targets' systems and demand a ransom for decryption, but they also maintain a leak site on the dark web where they threaten to publish sensitive information if a victim does not pay a ransom.
Black Basta's partners have been very active in spreading Black Basta and extorting money from businesses since the ransomware first appeared. Although they have only been active for a couple of months, according to the information published on their leak site, they have already infected over 75 companies and institutions at the time of this publication. Unit 42 has also already worked on several Black Basta cases.
Ransomeware written in C++ for Linux and Windows
The ransomware is written in C++ and affects both Windows and Linux operating systems. It encrypts users' data using a combination of ChaCha20 and RSA-4096. To speed up the encryption process, the ransomware encrypts in sections of 64 bytes, leaving 128 bytes of data unencrypted between the encrypted sections. The faster the ransomware encrypts, the more systems can potentially be compromised before defenses are triggered. This is a critical factor that partners look for when joining a Ransomware-as-a-Service group.
QBot as first point of entry
Palo Alto Networks' Unit 42 observed that the Black Basta ransomware group uses QBot as its first point of entry to move laterally in compromised networks. QBot, also known as Qakbot, is a Windows malware strain that began as a banking Trojan and evolved into a malware dropper. It has also been used by other ransomware groups, including MegaCortex, ProLock, DoppelPaymer and Egregor. While these ransomware groups used QBot for initial access, the Black Basta group was observed using QBot for both initial access and lateral spread on the network.
More Assumptions
Given that the Black Basta attacks were sensationalized and recurring around the world in 2022, it is likely that the operators and/or affiliates behind the service will continue to attack and extort companies. It is also possible that this is not a new operation, but rather a remake of a previous ransomware group that brought its partners along. Due to numerous similarities in tactics, techniques, and procedures – such as victim-shaming blogs, recovery portals, negotiation tactics, and the way Black Basta quickly gathered its victims – the group could include current or former members of the Conti group.
Since the ransomware emerged, the group's members have been very active in spreading and extorting businesses. The attackers run a cybercrime marketplace and a blog where the group lists their victims' names, descriptions, percentage of publication, number of visits and all exfiltrated data.
Advertising
Summarizing things
Although the members have only been active for a few months, they have already compromised more than 75 companies and institutions, according to the information published on their leak site. Unit 42 incident responders have already responded to several Black Basta ransomware cases. Here are some key findings from the Palo Alto Networks investigation:
- The RaaS uses double extortion as part of the attacks.
- Data from at least 20 victims was posted on the leak site in the first two weeks of the ransomware's deployment.
The group has reportedly attacked several large companies in consumer and industrial products, energy, resources and agriculture, manufacturing, utilities, transportation, government agencies, professional services and consulting, and real estate. More information on this analysis, which follows other recent ransomware studies such as Blue Sky and Cuba, can be found here.
