By Peter Stollery

Understanding Black Basta RaaS: Threats and Mitigation Strategies

Understanding Black Basta RaaS: Threats and Mitigation Strategies

Introduction

Black Basta is a ransomware group and ransomware as a service (RaaS) criminal group who first appeared in April 2022. They quickly became known across the globe as one of the most active RaaS threat actors. Black Basta make money from their own exploitation's and by selling their services (RaaS) to others on the dark web.

What is ransomware? For those who don't know, ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. Like holding a person for ransom in a kidnapping, Black Basta could lock your data, services or the likes and hold them for ransom until you pay a fee. Following this, you may have the question what is RaaS? RaaS is when the ransomware provider sells or leases their ransomware variants. It is a business model simply put.

It is important to keep up-to-date with all new cyber threats in an attempt to keep your company proactively preventing/mitigating the chances of compromise. It can also keep help reduce the impact if you were to be attacked as you may have a playbook set up for their expected strategies and it could be a requirement based on regulations.

This blog post will attempt to give some background information on Black Basta, followed by technical analysis, a threat assessment, prevention and mitigation strategies, legal and regulatory considerations and finally a conclusion.

Background Information

As mentioned earlier, Black Basta are a ransomware operating gang whom also provide RaaS. They came onto the scene in early 2022 and had racked up a few prominent enterprise victims in just a few months. As of May 2024, Black Basta has compromised over 500 organisations. Notable victims of Black Basta include: Capita (UK technology outsourcer), ABB (Swiss industrial automation company), Dish Network (US television provider) and American Dental Association, to name a few. The majority of Black Basta's targets have been in the US (57.3%) followed by the UK (12.3%) and the top targeted sectors have been the Business sector (32.4%) and Manufacturing sector (16.3%).

Number of Public Victims by Week. Source: Flashpoint

Technical Analysis

Note: This technical analysis will use Mitre ATT&CK Framwork version 15.

Initial Access

Black Basta are known for using spearphishing campaigns [T1566]. The spearphishing attacks are said, by cybersecurity researchers, to have used the Qakbot malware in order to get backdoor access. Along with the use of valid credentials [T1078] to gain initial access, these credentials would been acquired from Initial Access Brokers (IABs).

In February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709 [CWE-288] [T1190].

Researchers at SentinelLabs mention one of the most interesting initial access observations to be a DLL hijacking exploit in calc.exe. This would be a Qakbot DLL which 'obtains a persistent foothold in the victim environment by setting a scheduled task which references a malicious PowerShell stored in the registry, acting as a listener and loader.' [1]

The ransomware text shown following encryption. Source: MinervaLabs

Discovery & Execution

Affiliates of the Black Basta Ransomware group often use tools such as SoftPerfect network scanner (netscan.exe) to conduct network scanning. SentinelOne's cybersecurity researchers note that they use inconspicuous directories such as 'Intel' or 'Dell', created in the root drive C:\. [1]

Lateral Movement

Black Basta group uses tools like BITSAdmin, Cobalt Strike, PsExec, RDP, Screen Connect, and Splashtop to move laterally in the compromised network. [2].

Privilege Escalation

In order to get credentials to use in privilege escalation, tools like mimikatz are used. Affiliates are known to take advantage of existing vulnerabilities in ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 & CVE-2021-42287) and PrintNightmare (CVE-2021-34527). These vulnerabilites target local and Windows Active Domain privilege escalation.

Exfiltration & Encryption

Kroll researchers have noted that prior to exfiltration, the affiliates have used PowerShell commands to disable EDR/XDR services in place. A variety of batch scripts could have been used including scripts to disable Microsoft Defender, disable Windows Defender Monitoring and/or remove Microsoft Defender [T1562.001]. Kroll have further identified Black Basta's choice of exfiltration tool as Rclone. [3] While TrendMicro note that Black Basta use Cobeacon to exfiltrate the stolen data on an established command-and-control (C&C) server. [4] Once antivirus programs are terminated, a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files [T1486]. When encrypted the files have 'a .basta' or random extension added to them and the ransom note is in a readme.txt (see below, source: Kroll) file left for the victim.

Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
You can contact us and decrypt one file for free on this TOR site
(you should download and install TOR browser first https://torproject.org)
<redacted tor link>

Your company id for log in: <redacted>

If there is no interaction between the victim and the threat actor, company information and data will be listed on the Black Basta site for release.

Prevention & Mitigation

As mentioned in the technical analysis section of this blog, Black Basta gain their initial access mainly through credential harvesting/phishing campaigns. Therefore, it is of utmost importance to have some simple security controls in place. These can include but are not limited to:

  1. Employee Education/Training - Employee's need to be aware of what phishing emails may look like, what clicking on malicious links may result in, the danger of opening malicious attachments and other threats. If employees are unsure if a link/attachment is malicious, it is important to report so a member of the security team can run either in a sandbox and see what happens when clicking or opening the link or attachment.
  2. Implement Strong Passwords - These passwords should be strong and unique. It is far too often that we see credential harvesters providing credentials for a user's account of X software/social media etc. that are the same as the credentials used for a work network. This lack of unique passwords make it easier for threat actors to gain access to your account and therefore they just need to laterally move to be in control of an entire network. This lateral movement can be easier than initial access to an admin account as companies may have legacy applications for example that they accept the risk on as they are not externally facing.
  3. Enable Multi-Factor Authentication - Multi-factor authentication is just another layer of defense. This can be done through an authenticator app such as Google/Microsoft Authenticator and requires both something you know (password) and something you have (your phone). In some cases, it can be worth incorporating the something you are (biometric) authentication just to add further layers of security.
  4. Update and Patch Systems - Organisations should regularly be updating and patching systems to fix any known vulnerabilities. This is so very important for the external facing systems as these vulnerabilites can provide a gateway for threat actors to access your data. Further to this, it is important to disable any unneeded services as they are just increasing the attack surface area unnecessarily.
  5. Implement Backup and Disaster Recovery - This point is a mitigation strategy and is important if Black Basta (or any other threat actor) gain access to your systems. It can be critical to have these backup and disaster recovery processes in place so that you can recover from a ransomware attack. Backups should be created regularly and checked to ensure that they work and can be restored quickly and easily.
  6. Endpoint Detection and Response (EDR) - Having an EDR solution set up is extremely valuable as it can provide insights in areas that the human eye may not be able to spot. Behavioural analysis and anomaly detection are definitely important tools within the EDR which can provide this value. EDR tools can monitor patterns of behaviour such as rapid opening and closing of files (this can suggest encryption is taking place) or perhaps just notice differences between what is going on and baseline activity (which may be a false positive or may be a threat actor at work). While you may put controls in place, it is important to ensure that you test these controls. [5]

It is crucial to understand the legal and regulatory implications of a ransomware attack. Key legal considerations include:

  • Data Breach Notifications: This may form part of a company's policies requiring notification of affected individuals and regulatory boards within a specified timeframe.
  • Financial Penalties: Fines may be imposed for failing to protect sensitive data securely.
  • Reputational Damage: Being known as a victim of a ransomware attack can harm relationships with customers, clients, and vendors.

Accompanying these legal aspects are various regulatory frameworks and standards:

  • General Data Protection Regulation (GDPR) (EU): Applies to any organisation handling the data of EU citizens, mandating robust data protection measures.
  • Health Insurance Portability and Accountability Act (HIPAA) (US): Requires healthcare providers, insurers, and related entities to protect personal health information (PHI).
  • Payment Card Industry Data Security Standard (PCI DSS): Affects all organisations that store, process, or transmit cardholder data, ensuring that these activities are conducted securely.

Understanding and complying with these regulations is vital for minimising legal risks and maintaining the trust of all stakeholders.

How to Report a Ransomware/Black Basta Incident

No one hopes to experience a ransomware incident, but it is crucial to know the appropriate steps to take should it unfortunately occur. Here are the key actions to follow:

  1. Internal Assessment: Conduct a thorough assessment to understand the scope and impact of the breach. This knowledge is vital before any external communication.
  2. Notify Local Law Enforcement: Report the incident to your local law enforcement agency. They can provide immediate assistance and guidance on how to manage the situation.
  3. Contact a Cybersecurity Centre: Many countries have dedicated cybersecurity centres. In the US, it is the Cybersecurity and Infrastructure Security Agency (CISA); in the UK, the National Cyber Security Centre (NCSC); and in Europe, Europol. These organisations can offer support and strategic advice.
  4. Inform Relevant Regulatory Bodies: As previously mentioned, it is important to communicate with the regulatory bodies relevant to your organisation. This ensures compliance with legal obligations and can aid in managing the aftermath of the incident.
  5. Engage with Legal Counsel: Understanding the legal implications is crucial. Engaging with legal counsel will help ensure that all actions comply with the law and help mitigate potential legal consequences.

Conclusion

Since Black Basta emerged in early 2022, they have wreaked havoc across various industries, impacting over 500 organisations worldwide. Not only does Black Basta directly perpetrate ransomware attacks, but they also licence their ransomware to affiliates, amplifying the threat landscape.

Key Takeaways:

  1. Understanding and Vigilance: Gaining a deep understanding of Black Basta's tactics is crucial for defending your environments. Their methods, including spearphishing, credential harvesting, and exploiting vulnerabilities, can cause significant damage. Awareness is the first step towards protection.
  2. Robust Security Measures: Building on the knowledge of Black Basta's techniques, it's vital to implement robust security measures. These should include strong, unique passwords, enabling multi-factor authentication, keeping systems updated and patched, and disabling unnecessary services. Employee awareness training is also critical to reinforce these security protocols.
  3. Legal and Regulatory Compliance: Adherence to relevant regulations, whether it's PCI DSS, GDPR, or other frameworks, is essential. Compliance helps prevent severe penalties and damage to public relations in the event of an attack.

By adopting a comprehensive approach to security that combines technological solutions and human factor considerations, organisations can effectively shield themselves from the evolving tactics of ransomware groups like Black Basta, thereby minimising the potential impact of their attacks.

References:

[1] SentinelOne: Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor

[2] PicusSecurity: Black Basta Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA24-131A

[3] Kroll: Black Basta - Technical Analysis

[4] TrendMicro: Ransomware Spotlight - Black Basta

[5] CISA and Partners: Joint Cybersecurity Advisory - #StopRansomware: BlackBasta

Previous

Mastercard Cybersecurity Virtual Experience Program

 Next

I wrote a keylogger with Python