ReversingLabs’ YARA detection rule for Black Basta can help you find this ransomware in your environment.
ReversingLabs threat analysts are constantly working to respond to new threats and provide our customers with information and tools to defend their systems from attacks. Written by our threat analysts, our high-quality, open source YARA rules help threat hunters, incident responders, security analysts, and other defenders detect malicious behavior in their environment.
In this series, we break down some of the threats behind our YARA detection rules that can help your organization to detect threats within your environment.
Black Basta: A Prolific Operation
The Black Basta ransomware group was first discovered in April 2022, but evidence suggests that the group has been in development since February 2022. Since the group’s first string of attacks in April, Black Basta has been highly active and has successfully attacked an estimated 100 organizations, based on public reports. Researchers suspect that the group’s quick rise to success reflects an operation that has recycled its parts from another, now defunct ransomware group.
Black Basta functions similarly to other ransomware gangs. It is a ransomware-as-a-service (RaaS) that uses the double extortion technique, in which they not only encrypt files and demand ransoms from victims, but also steal data from victims which they threaten to sell or publish via a dark web leak site, “Basta News.”
A Laundry List of Victims
Since its inception, Black Basta has been active and successful in targeting a large number of organizations across industries. In late April of last year, Black Basta managed to breach at least 12 organizations across the globe within the span of a few weeks, ranging from systems belonging to the American Dental Association to Deutsche Windtechnik, a company in the renewable energy sector. One of the group’s early victims was asked to pay a $2 million ransom in order to get their files decrypted and prevent their data from being released, reports BleepingComputer.
Months later, researchers at Malwarebytes found that Black Basta successfully targeted 25 companies in October 2022, making it one of the most successful ransomware groups in 2022.
In attacks in late 2022, Black Basta was found using Qakbot, a type of malware, to target U.S.-based companies. Using Qakbot allowed the attackers to create an initial point of entry and move laterally within an organization’s network, according to researchers at Cybereason. More than 10 different customers were targeted by this campaign in just two weeks.
The group has also targeted critical infrastructure organizations in recent months. In November, 2022 for example, Black Basta targeted Maple Leaf Foods, a Canadian meat giant. After gaining access to Maple Leaf’s network and critical systems, Black Basta posted screenshots of technical documents, financial information and other sensitive files on their “Basta News” site. The company had to shut down their operations as a result of the attack, possibly impacting the food distribution supply chain in North American and Asian countries.
Deploying the Ransomware
Researchers at Unit 42 say Black Basta is written in C++ and is cross-platform ransomware that impacts both Windows and Linux systems. By using anti-analysis techniques, the ransomware is able to avoid execution and detection in sandbox environments.
In order to quickly encrypt all of the files on a network, the ransomware encrypts in chunks of 64 bytes. The ransomware also tries to delete shadow copies or file backups using a command-line tool that manages Volume Shadow Copy Service. A jpg. file is then used to overwrite the desktop background of an infected computer with a message that reads, “your network is encrypted by the Black Basta group,” according to Unit 42.
Victims of the ransomware then find entire systems encrypted, with files given the extension .basta.
Researchers at TrendMicro believe that Black Basta members likely use stolen credentials in the early stages of attacks. These are likely purchased in darknet websites or underground forums, allowing the attackers to gain access to a victim’s system.
Rising From the Ashes of Conti?
Several researchers believe that Black Basta did not start from scratch. Based on their research, Unit 42 suspects that Black Basta could include current or former members of Conti (also known by the names TrickBot, Wizard Spider and Ryuk). Conti is another ransomware group that went dark not long after its private chats were leaked by a pro-Ukrainian member of the gang as retaliation for Conti siding with Russia’s war in Ukraine.
Prior to Black Basta, Conti was considered to be one of the most successful ransomware groups, outlasting many other gangs that did not survive in 2022. In Episode 2 of ConversingLabs, a ReversingLabs podcast, ransomware expert Yelisey Boguslavskiy gave insight into Conti’s operations. His take was that Conti’s success was thanks to how they operated like a legitimate business, and said that “even if they disappear, they will come back stronger.” Nine months later, Conti has now lowered its profile and activity, while Black Basta has risen in popularity and success at the same time.
Unit 42’s reasoning behind this connection is based on the similarities found in the tactics, techniques and procedures (TTPs) between Conti and Black Basta. Those include the use of victim-shaming blogs, recovery portals, negotiation tactics, and the high number of quickly amassed victims. MalwareHunterTeam also suspects that Black Basta is derivative of Conti, noting that the two groups’ leak sites, payment sites, as well as rhetoric and behavior are highly similar.
Based on these researchers’ assumptions, it is possible that Boguslavskiy was correct in saying that Conti would never really go away, but simply reconstitute and “come back stronger.”
Detecting Black Basta
Considering the recent spring of attacks caused by Black Basta, it is more important than ever for organizations to stay vigilant and defend themselves against this ransomware threat.
ReversingLabs’ Black Basta YARA rule is designed to detect this ransomware within your environment with high fidelity and almost no false-positives.
Download the Black Basta YARA Rule from our GitHub page here:
Win32.Ransomware.BlackBasta.yara
To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our Github page. To learn more about how our threat analysts write these YARA rules, check out this blog post from ReversingLabs threat analyst Laura Dabelić.
The Work Doesn’t Stop Here
ReversingLabs’ team of analysts are constantly surveying the threat landscape in an effort to better serve our customers and the greater security community. Contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware, or to schedule a demonstration.
- Tags:
- Yara Rules