Black Basta’s emergence as a prominent Ransomware as a Service (RaaS) threat actor reflects the evolving landscape of cybercrime. Its affiliations with groups like Conti and FIN7 highlight the complex relationships within the cybercriminal ecosystem.Â
In this comprehensive article, we will explore the Black Basta ransomware variant in detail, and provide information on the indicators of compromise (IOC) associated with the group’s activity.Â
It’s essential to understand which industries the ransomware targets and have some insight into how it operates to improve your cybersecurity and ransomware defense.Â
Black Basta ransomware overview
Black Basta, also known as BlackBasta, is a formidable ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged on the cybercrime scene in early 2022. The group quickly established itself as one of the most active RaaS threat actors globally, gaining notoriety for its sophisticated tactics and successful targeting of prominent enterprises.Â
The ransomware operates with a double extortion tactic, encrypting critical data and threatening to publish sensitive information on its public leak site if the victim refuses to pay the ransom.
Black Basta encrypts files using a 64-byte keystream generated with the XChaCha20 algorithm, known for its robust security and efficiency.Â
By exploiting a flaw in the encryption routine, the ransomware reused the same keystream during encryption, enabling the extraction of the encryption key. The unique encryption scheme prepends each file with a 133-byte ephemeral NIST P-521 public key, making recovery possible if the plaintext of 64 encrypted bytes is known. The 133-byte ephemeral NIST P-521, is utilized within the BlackBasta 2.0 ransomware.Â
Security Research Labs (SRLabs) identified a flaw in Black Basta’s encryption algorithm, allowing the creation of a decryptor known as “Black Basta Buster.” This tool exploited the encryption key extraction process, enabling several victims to potentially recover files for free.Â
How to identify Black Basta ransomware: Main IOCs
Indicators of compromise (IOCs) are pieces of forensic data that can help identify malicious activity or malware associated with a cyber attack. It includes the encryption extension, file hashes, and IP addresses, among other details cyber criminals leave as they infect a machine or system.Â
But, if you can’t identify the ransomware strain through its IOCs, you can use Proven Data’s free ransomware ID tool to check if the Black Basta ransomware is the malware that encrypts your files.
Important: Some of these indicators require technical knowledge of the infected system, so you may need to contact your IT team or a digital forensics service provider.
Black Basta ransomware-specific IOCs include:
File Extensions
- .basta (for newer versions)
- .ransom (for older versions)
Ransom Note
- readme.txtÂ
How Black Basta ransomware works
As with most ransomware, Black Basta has several steps during its attacks before encrypting data and dropping the ransom note.
Initial Access
Black Basta gains initial access to a target system through various means. This can include phishing emails, exploiting vulnerabilities in software or networks, or purchasing access from initial access brokers.
The ransomware targets organizations in healthcare, government, financial services, education, and media. including those in the United States, Japan, Canada, the United Kingdom, Australia, and New Zealand. Black Basta has been known for its highly targeted attacks rather than a widespread approach.
Network Lateral Movement
Once inside the network, Black Basta moves laterally to other devices. The ransomware group has been observed partnering with other malware operations to drop tools like Cobalt Strike for remote access on corporate networks.
Black Basta uses various tactics, including the use of QakBot stealer, MimiKatz, and exploiting Windows Management Instrumentation (WMI) API for credential harvesting. This allows the attackers to escalate privileges and move within the network.
Encryption and Double Extortion Tactic
Encrypted files receive a new extension, typically “.basta” for newer versions and “.ransom” for older versions. A ransom note, commonly named “readme.txt,” is placed on the victim’s desktop, containing instructions on how to pay the ransom.
Black Basta employs a double extortion tactic. In addition to encrypting files, the attackers exfiltrate sensitive data from the victim’s system. If the ransom is not paid, they threaten to publish the stolen data on their public leak site.
Important: Do not pay the ransom. Paying the ransom does not guarantee that you will get your data back, and it may encourage the attackers to continue their criminal activities. Check our in-depth article on what happens if you pay the ransom.
How to handle a Black Basta ransomware attack
It is important to note that handling a ransomware attack can be complex and requires expertise. Therefore, it is recommended to seek professional help from a reputable data recovery service, such as Proven Data to help you recover your data and remove the ransomware from your system.
You can also report the attack to law enforcement agencies, such as the FBI, and cybersecurity organizations to help prevent future attacks and catch the perpetrators.
We strongly recommend contacting cybersecurity services to handle ransomware attacks. Proven Data technicians not only retrieve ransomware-encrypted data but also create forensic reports and streamline incident response, minimizing your business downtime and financial loss.
Notable attacks by Black Basta ransomware
In a recent attack, the Toronto Public Library, which serves as Canada’s largest public library system, fell victim to the Black Basta ransomware. As a critical public infrastructure component, the attack on the Toronto Public Library disrupted essential library services, including access to digital resources, patron information systems, and other critical functions.
Black Basta often establishes a public leak site where they publish information about their victims and samples of the stolen data as a form of pressure to compel payment. Victims who do not comply with the ransom demands risk having their sensitive information exposed on these platforms.
In response to the attack, the Toronto Public Library engaged in incident response and mitigation efforts. This involved collaboration with cybersecurity experts, and law enforcement agencies.
How to prevent ransomware attacks
Preventing Black Basta ransomware attacks is always the best cybersecurity tactic. If you are a recent victim, you must follow these tips to avoid a new ransomware attack:
Keep your software up to date
Regularly update your operating system and programs to uphold security standards. Reputable OS providers will consistently check their software for vulnerabilities and patch up their security standards to protect against newly detected threats.
Use reputable antivirus software
Employ reputable antivirus software to bolster protection against malware significantly, and regularly check that it is updated. You can also check your network for vulnerabilities and learn where you need to improve your security system.
Be cautious of suspicious emails
Even though there are no known cases of Black Basta using phishing as an attack method, it’s important to exercise caution when dealing with emails from unfamiliar or dubious origins. Refrain from opening files or clicking on links within emails that you are not expecting or seem suspicious.
Do not download cracked software
Cracked software is the term used to describe illicitly modified or pirated versions of commercial software, typically distributed without proper authorization or licensing. Cybercriminals frequently conceal their ransomware executables within cracked software distribution websites, leading users to unwittingly download and execute the malware.
Backup your data
Regularly back up your data to an external hard drive or cloud storage service to prevent complete data loss in case of a ransomware attack. A highly recommended strategy for data loss prevention is the 3-2-1 backup strategy.
The 3-2-1 backup strategy involves creating three total copies of your data: two on different media and one offsite, ensuring redundancy and protection against data loss. And at least one copy offsite to prevent loss due to natural disasters or other local incidents.
Educate yourself and your teams
Educate yourself and your employees about the risks of ransomware and how to avoid it, such as avoiding suspicious emails or downloads.
Consult cybersecurity professionals
Proven Data offers cyber security services to help you keep your data protected against threat actors. From vulnerability assessment to ensure your systems and servers do not have open doors for cyber attacks, to Incident Response (IR) services for immediate response in case of a successful attack.
We also have the option of managed detection and response (MDR) services that help organizations improve their security posture, minimize risk, and protect sensitive data and assets.