Ransomware continues to be perhaps the most significant cybersecurity challenge of the modern age. Although the number of attacks dropped from 1,300 in Q4 of 2023 to a little over 1,000 in Q1 2024, the reality remains that the encryption and potential exfiltration of critical corporate data is a massive issue. Especially given that the cost of a data breach is around $4.45 million, and that’s not even considering the impact on future corporate revenues.
One of the most prolific ransomware variants of the past few years has been Black Basta. Since the group first appeared, they and their affiliates have targeted more than 500 organizations and 12 out of 16 critical infrastructure sectors. This is according to a new report from the Cybersecurity and Infrastructure Security Agency (CISA) released in a joint report with the FBI, the Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
The report details the evolution of the Black Basta operation and its affiliates, and its growth in the years since its appearance. The authoring organizations didn’t provide any direct link for the release of the report, however the Black Basta ransomware was linked to an attack on Ascension Healthcare on May 10.
Regardless, understanding the tactics, techniques, and procedures of Black Basta as well as its indicators of compromise (IOCs), is vital for cybersecurity teams as they seek to defend their critical systems.
Who Is the Black Basta Ransomware Gang?
Black Basta is a ransomware-as-a-service (RaaS) organization, offering its attack chain for sale on the dark web, while also using the code itself to compromise targets across multiple industries. The ransomware first made its appearance in 2022 shortly after the implosion of the Conti gang that arose following the Russian invasion of Ukraine.
Black Basta’s core core members were most likely part of Conti. The reasoning here is that the two groups have similar approaches to malware development, leak sites, and communications for negotiation, payment, and data recovery. There are also similarities to FIN7 (AKA Carbanak), most notably in their custom Endpoint Detection and Response (EDR) evasion modules and overlapping use of IP addresses for command and control (C2) operations.
Black Basta quickly became one of the most prominent RaaS in its first few months of operation. They racked up 19 prominent enterprise victims and more than 100 compromised organizations in their early days.
Since their launch, the gang and its affiliates have targeted companies in North America, Europe, and Australia. As of May 2024, according to the CISA advisory, Black Basta and its affiliates have attacked 500 organizations around the world.
This makes it one of the more prolific RaaS operations in existence today, indicative of its reach and potential for causing damage globally.
How Does Black Basta Operate?
Black Basta affiliates often use standard initial access techniques. They’ve used phishing attacks and exploited known vulnerabilities to surgically target people at organizations. Following the CISA report, at least one part of the operation has adopted a new technique of flooding targets with spam emails and then pretending to be customer service representatives to offer help with the issue. Since February, affiliates have also used the 10.0 “critical”-rated ConnectWise ScreenConnect bug CVE-2024-1709 to gain initial access.
Their attacks follow a double-extortion model. Black Basta and affiliates encrypt systems and exfiltrate data, a standard double extortion methodology. Their ransom notes don’t typically include an initial demand or payment instructions, instead directing victims to a .onion URL reachable through the Tor browser and providing a unique code to use. The notes tend to give victims between 10 and 12 days to pay before their data gets published on the Black Basta TOR site, Basta News.
The CISA report further details common initial access methodologies, including spear phishing and the ConnectWise vulnerability noted above. CISA describes network scanning tactics, as well as how Black Basta affiliates achieve privilege escalation and lateral movement through targets to ultimately achieve their goals of encryption and exfiltration.
RClone is commonly used for data exfiltration. Cybersecurity researchers have witnessed some Black Basta affiliates using PowerShell to disable antivirus and occasionally deploying a tool called Backstab that’s designed to disable endpoint detection and response (EDR). Once those security tools are disabled, a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files. Attackers will finally add a .basta filename extension (or something else) to encrypted files, and delete shadow copies on the volume with the vssadmin.exe program.
The CISA report continues to list publicly available tools that Black Basta affiliates have been known to use, as well as IOCs such as malicious files, network indicators, file indicators, and known Black Basta Cobalt Strike domains.
How Sotero Helps Defend Against Black Basta Ransomware
Sotero has adopted an innovative approach to defending against attacks like Black Basta. As a purpose-built in the cloud for the cloud solution, Sotero blocks ransomware from spreading to internal resources that are mapped to the cloud. It does this with advanced behavior-based anomaly detection as opposed to legacy signature-based methods for a comprehensive ransomware solution. Sotero’s detections are based on advanced machine learning that creates access and utilization baselines across cloud infrastructure to detect, monitor, flag, isolate, and stop suspicious activity in real-time.
Whether your data is at rest, in use, or in transit, Sotero has it under lock and key. In a world where data has become as precious as gold, this robust encryption secures your unstructured data in the cloud from ransomware threats.
Sotero’s ransomware protection offers the advantage of detecting malware at the earliest possible attack stage. Sotero cuts off access, generates alerts, and creates an entire auditable log trail before malware can take hold. Sotero integrates seamlessly with existing Security Information and Event Management (SIEM) systems or Infrastructure as a Service (IaaS) platforms. This allows organizations to view their entire information security landscape through a single-pane-of-glass interface, empowering them to make informed decisions swiftly.
To learn how you can stop ransomware attacks quickly, contact a data security specialist today!