Examining the Black Basta Ransomware’s Infection Routine

After running the ransomware as administrator, it removes shadow copies, disables Windows recovery and repair, and boots the PC in safe mode.

• C:WindowsSysNativevssadmin.exe delete shadows /all /quiet
• C:WindowsSysNativebcdedit.exe /deletevalue safeboot
• C:WindowsSysNativebcdedit /set safeboot networkChanges

It also drops the following files, which will be used later when changing the desktop wallpaper and icons for encrypted files:

• %Temp%fkdjsadasd.ico
• %Temp%dlaksjdoiwq.jpg

Before booting the infected device into safe mode, it changes the desktop wallpaper by dropping the .jpg file into the %temp% folder and creating the following registry entry:

• Key: HKCUControl PanelDesktop;  Value: Wallpaper; Data:%Temp%dlaksjdoiwq.jpg;

After changing the desktop wallpaper, it then adds the following registry keys to change the icon of the encrypted files with the .basta extension:

• HKLMSOFTWAREClasses.basta
• HKLMSOFTWAREClasses.bastaDefaultIcon data: %TEMP%fkdjsadasd.ico

The ransomware proceeds to encrypt files while the device is in safe mode, appending all encrypted files with the .basta extension. The ransom note is found in all the folders the ransomware has affected.

The ransom note indicates the malicious actor’s onion site and a company ID. Despite running the same ransomware (SHA256 hash: 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa) on different virtual machines, the company ID the gang provides is the same across all devices.

Using another binary (SHA256 hash: 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a), a different company ID is shown on the ransom note. The files are likewise appended with the .basta extension.

Analyzing the infection routine

Black Basta’s recent entry to the cybercrime world suggests that information about their operations is still limited. According to a report, the gang has neither started marketing its operations nor has it begun recruitment of affiliates in underground forums. Based on advertisements they posted before the attacks, the malicious actor likely uses stolen credentials — purchased in darknet websites or underground forums — to get into an organization’s system.

We probed further and found that the company ID written in the ransom note is hardcoded in the binary file.

Black Basta attempts to delete shadow copies using vssadmin.exe and boots the device in safe mode using bcdexit.exe from different paths, specifically, %SysNative% and %System32%.

At this stage, the ransomware deletes the service named Fax, and creates a new one with the same name using the malware’s path and adds it to the registry for persistence.

It then uses ShellExecuteA to shut down and restart the victim’s machine.

Extortion phase

For a newcomer in the field, Black Basta is quite prolific for having compromised at least a dozen organizations in just a few weeks. The group’s first known attack using the Black Basta ransomware occurred in the second week of April 2022. But an earlier sample was also spotted back in February 2022 with the ransomware name “no_name_software,”  which appends the extension “encrypted” to encrypted files. According to some threat researchers, it appears that Black Basta has been in development since early February 2022.

Like other enterprise-focused ransomware operations, Black Basta employs a double extortion scheme that involves exfiltrating confidential data before encryption to threaten victims with public release of the stolen data.

The gang carries out the extortion phase of its attacks on its Tor site, Basta News, which contains a list of all the victims who have not paid the ransom.

Possible relation to an APT

Security researchers exchanged speculations on Twitter that Black Basta is possibly a rebranding of the Conti ransomware operation. MalwareHunterTeam pointed out many similarities in its leak site, payment site, and negotiation style to those of Conti’s. Twitter user Arkbird echoed the same observation.  Lawrence Abrams of BleepingComputer also mentioned that the malicious actors behind Black Basta seem like they are exerting a lot of effort to avoid any resemblance to their previous identity.

We have also noticed some similarities between the Black Basta and Black Matter payment sites. Like Black Matter, Black Basta implements user verification on its Tor site. However, the leak site does not implement a session key.

New findings: QAKBOT possibly related to Black Basta

Based on our analysis of another set of samples monitored within a 72-hour timeframe, we discovered a possible correlation between QAKBOT and Black Basta ransomware. We observed the following:

• As with QAKBOT, the malware is downloaded and executed from a malicious Excel file. Similar to the typical routine of the QAKBOT binary, it then executes certain PowerShell commands as part of its staging phase.
• From information gathered in our telemetry, we found the presence of the Black Basta ransomware within the 72-hour period in which it encrypted files on victims’ machine. Trend Micro detects this as Ransom.Win32.BASTACRYPT.YACEDT.
• Other researchers pointed out that QAKBOT deploys its version of the exploit PRINTNIGHTMARE (aka QUAKNIGHTMARE) during the same timeframe. We also observed the presence of the weaponized exploit. This, in turn, executes another binary with escalated privilege. Unfortunately, we were unable to find the presence of the file pointed by the hardcoded path. string to complete the attack chain. Trend Micro detects this as Trojan.Win64.QUAKNIGHTMARE.YACEJT.

Malicious actors also use certain tools as seen through our sensors, but we were unable to obtain the complete kit. We have so far gathered paths related to the tools themselves that include the following:

• AdwareCleaner (C:AdwCleaner*)
• Either PC-Cleaner or Pervasive PSQL/SQL (C:pvsw*)

The structure of the ransomware loader is also different from the external article. In this case, instead of dropping and executing the ransomware itself, the loader downloads to the device’s memory then uses reflective loading to launch the ransomware.

The information we have collected so far indicates that the malicious actor behind Black Basta possibly used QAKBOT as a new means to deliver the ransomware.

Insights

The malicious actors could be using a unique binary for each organization that they target. This can be seen from the ransom note that they drop, which is hardcoded in the malware itself. A ransomware typically creates a unique ID for each victim despite being infected by the same executable. Their choice of target organizations also suggests this to be the case. They buy corporate network access credentials in underground markets, which could mean that they do not distribute their malware sporadically. Instead, they use a certain kind of binary or variant for a specific organization.

Recommendations 

Threat researchers suggest that the recent attacks by Black Basta can be seen as early manifestations of Conti’s rebranding efforts. True or not, organizations should keep a watchful eye against ransomware threats. An organization’s thorough assessment of its security posture and its implementation of solid cybersecurity defenses give it a better fighting chance against such threats. 

To protect systems against similar attacks, organizations can establish security frameworks that allocate resources systematically for establishing a strong defense strategy against ransomware. Here are some best practices that organizations can consider: 

Audit and inventory 

• Take an inventory of assets and data
• Identify authorized and unauthorized devices and software 
• Audit event and incident logs 

Configure and monitor 

• Manage hardware and software configurations 
• Grant admin privileges and access only when necessary to an employee’s role 
• Monitor network ports, protocols, and services 
• Activate security configurations on network infrastructure devices such as firewalls and routers
• Establish a software allowlist that only executes legitimate applications 

Patch and update 

• Conduct regular vulnerability assessments 
• Perform patching or virtual patching for operating systems and applications
• Update software and applications to their latest versions 

Protect and recover 

• Implement data protection, backup, and recovery measures
• Enable multifactor authentication (MFA) 

Secure and defend 

• Employ sandbox analysis to block malicious emails 
• Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network 
• Detect early signs of an attack such as the presence of suspicious tools in the system 
• Use advanced detection technologies such as those powered by AI and machine learning 

Train and test 

• Regularly train and assess employees in security skills
• Conduct red-team exercises and penetration tests 

A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises. 

• Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools before the ransomware can do any damage. 
• Trend Micro Cloud One™ – Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.  
• Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.  
• Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints. 

Indicators of compromise (IOCs)

For QAKBOT-related samples: