Ransomware Roundup – Black Basta | FortiGuard Labs

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This latest edition of the Ransomware Roundup covers the Black Basta ransomware.

Affected platforms: Microsoft Windows, VMWare ESXi servers
Impacted parties: Microsoft Windows and ESXi Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

Black Basta Ransomware Overview

Over the past few months, Black Basta ransomware has made headlines for allegedly compromising high-profile European and North American organizations across a variety of industries, such as outsourcing, technology, and manufacturing.

The history of Black Basta ransomware dates back to at least April 2022, with a professional organizations company in the United States being one of its first victims. Since then, Black Basta has slowly expanded their operations, with the group allegedly compromising and stealing data from a US government contractor and a US aerospace and defense company in late 2022.

This ransomware is considered a successor to the now-defunct Conti ransomware because some former Conti members are believed to be in the Black Basta group. Some also believe there is a potential connection between Black Basta and the Fin7 threat actor due to the groups’ similar Tactics, Techniques, and Procedures (TTPs).

Black Basta operates a Ransomware-as-a-Service (RaaS) model, in which the developers offer a service such as ransomware, an infrastructure for payment processing and ransom negotiation, and technical support to its affiliates. Once an affiliate gets a victim to pay a ransom, the Black Basta operator receives a portion. Affiliates are responsible for selecting their targets, moving laterally across a victims’ network (often by using tools supplied by ransomware operators, leveraging dual-use tools, and employing living-off-the-land tactics), stealing data, and deploying the ransomware. Tools reportedly used by Black Basta threat affiliates include PsExec, Windows Management Instrumentation (WMI), PowerShell, Netcat, BITSAdmin, BCDEdit, SystemBC, Mimikatz, ColbaltStrike, Brute Ratel C4, remote access tools, and RClone.

Before deploying the ransomware to compromised networks, Black Basta attackers install and configure the open-source file-transfer utility “RClone” to steal the data that they collected. The stolen data is then used for their double-extortion scheme, where the files are leaked to the public if a victim fails to meet the ransom demands.

The Black Basta ransomware was initially only supported on Windows platforms. However, the Black Basta developer released a new variant targeting ESXi systems in 2022. The group also updated and released Black Basta ransomware 2.0, which reportedly incorporates a new encryption algorithm.

Note that FortiGuard Labs previously released a Threat Signal for Black Basta ransomware on May 2^nd, 2022:

Infection Vector

Black Basta has been seen to use techniques from spearphishing to purchasing access through Initial Access Brokers (IABs) to gain initial access. Access has also been obtained using malware from other groups, such as QakBot (QBot). The exploitation of the PrintNightmare (CVE-2021-34527) and Follina (CVE-2022-30190) vulnerabilities have also been reported.

More details on CVE-2021-34527 and CVE-2022-30190 are available as Outbreak Alerts previously released by FortiGuard Labs:

Ransomware Execution

FortiGuard Labs is aware that the ransomware component of Black Basta has been compiled as a Windows executable, more recently as a Windows DLL, and additionally as a Linux executable

Windows Executable and DLL

The functionality between the two versions is identical, as is the final step in the attack chain.

Black Basta has been observed using the XChaCha20 stream cipher  (https://en.wikipedia.org/wiki/ChaCha20-Poly1305) to encrypt its files. This is built into the software using the Crypto++ C++ library (https://www.cryptopp.com/).

Files are encrypted quickly using multi-threading, with the file extension for encrypted files being unique for each ransomware build.

The ransom note is assembled and dropped into each directory that includes files that have been encrypted. Note in Figure 6 that the Login ID (the ID used by the threat actor to identify the victim when they make contact) is hardcoded into the ransomware, which suggests some customization for a particular victim.

The ransom note labeled “Instructions_read_me.txt” is automatically opened in Notepad so the victim can easily see it.

The note demands that the victim use Tor to contact the ransomware gang = at a specified “.onion” site. Instructions for downloading and installing the Tor browser are provided. It also suggests that the victim not contact a recovery company or outside ransom negotiators.

Linux Executable

Black Basta has also developed a Linux executable primarily designed to target VMWare ESXi deployments rather than more general individual Linux systems. This can be easily shown by running the ransomware on a non-ESXi deployment. When executed, the malware will be unable to locate the “/vmfs/volumes/” directory and be unable to run. This directory (VMFS is the “Virtual Machine File System,” and “volumes” is where VM disk images reside, which would be the main target of the ransomware). If that folder is then put in place, it will execute (although nothing will occur on a non-ESXi host).

The Linux version of Black Basta has several command line flags that suggest it is designed to be executed by an individual who has remote access to a victim ESXi server.

Again, executing in a non-ESXi environment fails. However, it allows for the tracing of the event in assembly.

The “-killesxi” command triggers a fairly involved Bash sequence, as shown in Figure 12 below.

As ESXi installations are the primary focus of the Black Basta Linux variant, it is only interested in four related file types for encryption: “.vmsd”, “.vmx”, “vmxf”, and “vmdk”.

As with the Windows version, the Linux version of Black Basta hardcodes the file extension for encrypted files into the code for deployment, and it changes from file to file.

Whether using the “-forcepath” command line flag to encrypt a single, non-standard directory with files of interest or the default location of “/vmfs/volumes/”, this version will encrypt files as efficiently as the Windows version.

The ransom note for the Linux version of Black Basta is identical to the Windows version. Again, the victim must contact the gang at a specified “.onion” site.

Black Basta Tor Sites

As the ransom notes above show, the Black Basta threat actors want their victims to contact them at a specific Tor address. Once there, the site requires the visitor to enter their “Login ID” from the ransom note to identify the organization they’re from, along with the completion of a captcha to prevent automated connections.

In addition to the communication site, Black Basta operates a “name and shame” Tor site titled “Basta News”.

This site provides the group’s “proof” that it has compromised a given organization, publication status, and visitor count.

Victimology

During our investigation, Black Basta’s data leak site listed more than 200 victims in North America and Europe. More than 60% of the alleged victims are U.S. organizations. Distant second place belongs to Germany at 15%, followed by Canada at close to 6%.

We divided the victim list into four groups: older victims to newer victims. While the oldest victim group spreads across 12 countries, the second and third group victims include only eight countries. The latest victim group has only six countries (U.S., Germany, Canada, Italy, UK, Slovenia), which may indicate that Black Basta affiliates have narrowed the target list.

As for its targeted industries, more than 25% of the victims listed on the leak site are in manufacturing, construction, service, and retail. However, 50% of the victims are in those four industries. Other affected sectors include legal, warehouse, finance, and IT.

Based on what’s in the data leak site, over 80% of the victims suffered from some or all of their stolen data being leaked to the public.

Fortinet Protections

Fortinet customers are already protected from this malware variant through AntiVirus, and FortiEDR services, as follows:

FortiGuard Labs detects known Black Basta ransomware variants with the following AV signatures:

• W32/BlackBasta.A!tr.ransom
• W32/BlackBasta.D!tr.ransom
• W32/BlackBasta.F!tr.ransom
• W32/BlackBasta.FA18!tr.ransom
• W32/BlackBasta.PA!tr.ransom
• W32/BlackBasta.SA!tr.ransom
• W32/BlackBasta.4E32!tr.ransom
• W32/Filecoder_BlackBasta.A!tr.ransom
• W32/Filecoder_BlackBasta.B!tr
• W32/Filecoder_BlackBasta.B!tr.ransom
• W32/Filecoder_BlackBasta.C!tr
• W32/Filecoder_BlackBasta.C!tr.ransom
• W32/Filecoder_BlackBasta.D!tr.ransom
• W32/Filecoder_BlackBasta.E!tr.ransom
• W32/Filecoder_BlackBasta.F!tr
• W32/Filecoder_BlackBasta.F!tr.ransom
• W32/Filecoder_BlackBasta_AGen.A!tr
• W32/Filecoder_BlackBasta_AGen.A!tr.ransom
• W32/Ransom.YXDADZ!tr.ransom
• W32/Ransom_Win64_BASTACRYPT.LKVCAGU!tr.ransom
• W32/Ransom_Win64_BASTACRYPT.YXDCXZ
• W64/BlackBasta.A!tr.ransom
• W64/BlackBasta.F!tr.ransom
• W64/Filecoder_BlackBasta.A!tr.ransom
• ELF/BASTAD.GVYD!tr.ransom
• ELF/BlackBasta.6018!tr.ransom
• ELF/BlackBasta.D3E1!tr.ransom
• Linux/Filecoder_BlackBasta.A!tr
• W32/Filecoder.4556!tr.ransom
• W32/Filecoder.506B!tr.ransom
• W32/Filecoder.OKW!tr
• W32/Filecoder.OMT!tr.ransom
• W32/GenKryptik.GBPY!tr.ransom
• W32/GenKryptik.GBRK!tr.ransom
• W32/GenKryptik.GCPP!tr.ransom
• W32/GenKryptik.GDSS!tr.ransom
• W32/GenKryptik.GFPG!tr.ransom
• W32/GenKryptik.GJNV!tr
• W32/Kryptik.ATLI!tr.ransom
• W32/Kryptik.CTJIRHO!tr.ransom
• W32/Kryptik.FKXJ!tr
• W32/Kryptik.FYBKLIK!tr
• W32/Kryptik.HOZJ!tr
• W32/Kryptik.HPRO!tr
• W32/Kryptik.HRKT!tr.ransom
• W32/Kryptik.HSAH!tr
• W32/Kryptik.HSSE!t
• W32/Kryptik.HSSE!tr
• W32/Kryptik.HSSE!tr.ransom
• W32/Kryptik.HTEE!tr
• W32/Kryptik.HTIE!tr
• W32/Kryptik.HTMN!tr
• W64/GenKryptik.GEJW!tr
• W32/ESQF.R002C0DC423!tr
• W64/REntS.1!tr.ransom
• W32/Generik.MJIYVEE!tr
• W32/Generik.NPGU!tr.ransom
• W32/PossibleThreat
• W32/PossibleThreat!tr.ransom
• Malicious_Behavior.SB
• PossibleThreat
• W32/Malicious_Behavior.SBX
• W32/Malicious_Behavior.VEX

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

The following IPS signatures are in place for CVE-2021-34527 and CVE-2022-30190 respectively:

• MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.Escalation
• MS.MSDT.URL.Protocol.Remote.Code.Execution

FortiEDR detects and blocks the execution of Black Basta ransomware before it can execute.

FortiEDR detects and blocks Black Basta ransomware from deleting volume shadow copies using the vssadmin utility with a security event triggered by the ‘Suspicious Applicaiton’ rule within the Ransomware Prevention security policy.

FortiEDR detects and blocks Black Basta ransomware from encyrpting files within the “file Encryptor – Suspicious File Modification” rule in the Ransomware Prevention security policy.

FortiEDR detects and blocks Black Basta ransomware from changing the desktop background a ‘Modify OS Setting’ event triggered by the ‘Unconfirmed Executable’ rule in the Ransomware Prevention security policy.

Note: If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

File-based IOCs:

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

• The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
• Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.