The Black Basta ransomware has rapidly become a prominent cybersecurity threat, impacting over 500 organizations worldwide across various sectors. This ransomware is particularly notable for its broad targeting strategy and sophisticated execution. It penetrates systems through phishing and exploits, after which it encrypts data and demands a ransom. This detailed article delves into the operational tactics of Black Basta, provides an analysis of its attack patterns, and lists critical Indicators of Compromise (IOCs) that can help in its detection and prevention, aiming to equip entities with the necessary knowledge to defend against such insidious attacks.
Modus Operandi
The Black Basta ransomware group employs a Ransomware-as-a-Service (RaaS) strategy, making it a formidable adversary in the cyber landscape. Their operations begin with sophisticated phishing schemes and the exploitation of known security vulnerabilities to gain unauthorized access to target networks. Once inside, they quickly exfiltrate sensitive data, positioning themselves to make credible threats of leaking this data unless their ransom demands are met. Communication with victims is meticulously managed through the use of unique codes and secure links, maintaining anonymity. Typically, victims are pressured into paying the ransom within a narrow window of 10-12 days, under the threat that their stolen data will be publicly released or sold if they fail to comply. This modus operandi highlights the group’s emphasis on speed and secrecy to maximize the impact of their attacks and the likelihood of ransom payment.
Notable Incidents and Targets
The Black Basta ransomware group has strategically targeted high-profile organizations across various sectors, emphasizing their focus on both impact and visibility. Their operations have disrupted major healthcare providers and critical infrastructure in the U.S., sectors known for holding sensitive data and requiring high uptime. The group’s reach extends beyond national borders with attacks on international corporations like Dish Network, the American Dental Association, Capita in the UK, and the German defense manufacturer Rheinmetall, underscoring their capability to infiltrate diverse and highly secured environments. These incidents highlight the extensive preparation and precision of Black Basta’s operations, aimed at maximizing disruption and ransom potential.
Technical Analysis
In their technical operations, the Black Basta ransomware group has demonstrated a high level of sophistication by exploiting specific, critical vulnerabilities such as CVE-2024-1709 found in ConnectWise’s ScreenConnect. This particular vulnerability allowed for remote code execution, providing the attackers with the ability to gain remote access to an infected system. By exploiting such vulnerabilities, Black Basta could bypass traditional security measures, gaining control over systems without needing physical access or user interaction. This capability made ConnectWise’s ScreenConnect a popular target not only for Black Basta but also for other ransomware groups, illustrating the widespread impact of this security flaw.
Lateral Movement
In their lateral movement tactics, Black Basta affiliates leverage tools like BITSAdmin and PsExec, complemented by Remote Desktop Protocol (RDP), to navigate through compromised networks. Additionally, they utilize remote access tools such as Splashtop and Screen Connect, along with Cobalt Strike beacons, to facilitate movement and maintain access across networked systems.
Exfiltration& Encryption
In the process of attack execution, Black Basta affiliates initially employ RCIone to extract data before launching encryption procedures. They use PowerShell scripts to deactivate antivirus programs, and sometimes deploy a specialized tool named Backstab to disable endpoint detection and response (EDR) systems. Following the deactivation of security systems, the ChaCha20 encryption algorithm, augmented by an RSA-4096 public key, is used to encrypt files, which are then marked with a “.basta” or a random extension. A ransom note titled “readme.txt” is placed on the system. To hinder recovery efforts, the group utilizes the vssadmin.exe command to erase volume shadow copies.
Indicators of Compromise (IOCs)
Malicious Files Associated with Black Basta Ransomware
| Hash | Descri ation |
| 0112e3b20872760dda5f658f6b546085f126e803627f0577b294f335ffa5a298 | rclone.exe |
| d3683beca3a40574e5fd68d30451137e4aBbbaca80428ebb781d565d63703856 | Winscpexe |
| 8808b47210860d79d16a163449901b45048a10a38€e799054414613009dCCCCC | DLL |
| 58ddbea084ce180fb3439219ebcf2f0501605d2f6271610b1c7af77b8d0484bd | DLL |
| 39939eaCfb020a26070649944976368860900d97b25926478434f46095bd8ead | DLL |
| 5b217807a0fd69ab000ef041f446e04098bbb397946eda3f6755f9d94d530221 | DLL |
| 51eb749d6de08baf9d4302f833bd9d4d86eb5206f62ba43b768251a98ce9d3e | DLL |
| d15bfbc181aa080e9faa0502063ef4695009b718596f43ed081ca02ef03110d1 | DLL |
| 5942143614d8ed34567ea47202b819777edd25000b361b13b1ae98d7f9e28d43 | DLL |
| 056bae760340fe44362ab768f70b2d89d609b39b9ee839f747b2f19d326c3431 | DLL |
| a7b36482b35bca7a143a795074c432ed627d6af35bc64d697fa660faa852f1a6 | DLL |
| 86a4dd6be867846b251460d230874e6413589878d27f204482b54cec13400737 | DLL |
| O7117002309410f47a326b5207f17407e63ba5e6ff97277446ef075b862d2799 | DLL |
| 9633937e87ff0€608d247feb9b40b7005b830a31597639522155bad726b8e5be | ELF |
| 101 b2d7f790750d60a14bd661dae505565f00060a7d03d062adce0da807e1 779 | ELF |
| 3600908f0a62010d455f35588ef27817ad35071535f291e434490860b1986b98 | ELF |
| 05546b2f‘fa3582b000d558b695060606876f1259041acff2ea047ab78a53e94a | EXE |
| 9a55f55886285eef7ffabdd5500232d1458175b1d868003d3e3040e7d98980b0 | EXE |
| 62e63388953bb30669b403867a3a02081303320f78133f7fd4a7f230d0939087 | EXE |
| 7ad4324ea241782ea859af12094f89f93182236542627e95b641608fb9757059 | EXE |
| 350ba7fca67721c74385faff083914ecdd66ef107a765dfb7a008b38d50900bd | EXE |
| 90ba27750a04d1308115fa6a90f36503398a8f528097405ad007ae8a6cd630e7 | EXE |
| fafaf’f3d665b26b50057e64b4238980589debOdff0501497a050be1b091b3e08 | EXE |
| Hash | Descri ation |
| acb60f0dd19a9a263aaefd3326db8028f546b6b0182ed2d0023170bcb0af6d8f | EXE |
| d73f6e240766ddd603016eff8db50794ab8ab9506a616d4ab2bc96780f13464d | EXE |
| f039eaaced72618eaba699d2985f9610d252305f685d6090217b45b0803614f4 | EXE |
| 723d1cf3d74fb30695a77ed9dff257a7808af8€67a82963230dd073781074224 | EXE |
| ae70868713e1d02b4db601280651eb1e3f6a33002544cc4cb5703a3606581b6e | EXE |
| fff35c2d367eef6f1a100585b427a03287f06f4e4460542207abcd62264e435f | EXE |
| df5b004be7171736266b1ad22072fgee4113b95b5d780496a90857977a9fb415 | EXE |
| 462bbb8fd7be981293a73efa91e2d88fa90afc7b47431b8227d1957f5d008ba7 | EXE |
| 3C50f6369f0938f42d47db29a1f3986754acb238d96fd4b366246a0200b8250a | EXE |
| 5d2204f3320e163120f52a2e3595db19890050b2faa9606cb36b094b0a52b0aa | EXE |
| 37a50d265f7f555f2f6320368d70553b7aa9601981212921d1a0201 14e662004 | EXE |
| 3090a37e591554d7406107df87b3d021bd3059df0b066244eSabef6356783f35 | EXE |
| 17879ed4802a2€324d4f5175112f51b75f4383b100b8833082€6ddb7cd817f20 | EXE |
| 42f05f5d4a2617b7anbc601dd60053bf974f9a337a8fcc51f9338b108811b78 | EXE |
| 882019d1024778613841db975d5e60aaae1482fcf86ba66968193680e980d7d3 | EXE |
| 6281886516db1bd89015C30de5932691996b67C2€2b4498986b0f562577fd757 | EXE |
| 0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e | EXE |
| 69192821f8064561Cf9c9cb494a1335841791160b267409bea3e189013103944 | EXE |
| 3337a7a900dd06acdd6e3cf4af40d871172d030696fc48787b5743093689622a | EXE |
| 17205043189022dfcb278f5cc45c2562f622b0b6280dcd43001d3c274095eb90 | EXE |
| b32daf27aa392d26bdf5faafbaae6b21cd60918d461ff59f548a73d447a96dd9 | EXE |
Network Indicators
| 66.249.66[.]18 | ngw.588027fa.dns.realbumblebee[.]net, dns.trailshop[.]net, dns.artspathgroupe[.]net |
| 66.249.66[.]18 | fy9.39d903085d33882352daa62f4cd30417b36f64c6644a783b9629147a1. afd8b8a4615358e0313bad80544a1ade8efcecOe80560208eee96c7.b06 d182500247387638851b06b60272b0bd619b709636bc17b093a70.a4689 0f27.588027fa.dns.realbumblebee[.]net |
| 95.181.173[.]227 | adslsdfdsfmo[.]world |
| fy9.36c44903529fa273afff309b7ef323432e223d22ae1d62504a3957d57.0 15C16eff32356bf56604fd359006ff9b2f6e8c587444ecbfc4bcae7.f71995af’f 9e6f22f8daff69d2ad9050ab0928b8f93bb0d42682fd303.445d62118.58802 7fa.dns.realbumblebee[.]net | |
| 207.126.152[.]242 | kaal.d6597fa.dns.bIOthoday.net nuher.3577125d2a75f6a277fc5714ff5360506af5283d928a66daad6825b9 a.7aaf8bba88534e88e089251C57b01b32207f5207f1a5338930a62a50.cb
b47411f60f658f76cf79d300003bdecfb9e83379f59d80b8494951.e10020f7 7.7fccOeb6.dns.blocktoday[.]net |
| 72.14.196[.]50 | .rasapool[.]net, dns.trai|shop[.]net |
| 72.14.196[.]192 | .rasapool[.]net |
| 72.14.196[.]2 | .rasapool[.]net |
| 72.14.196[.]226 | .rasapool[.]net |
| 46.161.27[.]151 | |
| 207.126.152[.]242 | nuher.1d67bbcf4.456d87aa6.2d84dfba.dnS.SpeCia|driIIS[.]Com |
| 185.219.221[.]136 | |
| 64.176.219[.]106 | |
| 5.78.115[.]67 | your-server[.]de |
| 207.126.152[.]242 | xkpaI.1a4a64b6.dns.blocktoday[.]net |
| 46.8.16[.]77 | |
| 185.7.214[.]79 | VPN Server |
| 185.220.100[.]240 | Tor exit |
| 107.189.30[.]69 | Tor exit |
| 5.183.130[.]92 | |
| 185.220.101[.]149 | Tor exit |
| 188.130.218[.]39 |
| 188.130.137[.]181 | |
| 46.8.10[.]134 | |
| 155.138.246[.]122 | |
| 80.239.207[.]200 | Winklen[.]ch |
| 183.181.86[.]147 | Xserver[.]jp |
| 34.149.120[.]3 | |
| 104.21.40[.]72 | |
| 34.250.161[.]149 | |
| 88.198.198[.]90 | your-server[.]de; Iiteroved[.]ru |
| 151.101.130[.]159 | |
| 35.244.153[.]44 | |
| 35.212.86[.]55 | |
| 34.251.163[.]236 | |
| 34.160.81[.]203 | |
| 34.149.36[.]179 | |
| 104.21.26[.]145 | |
| 83.243.40[.]10 | |
| 35.227.194[.]51 | |
| 35.190.31[.]54 | |
| 34.120.190[.]48 | |
| 116.203.186[.]178 | |
| 34.160.17[.]71 |
File Indicators
| Filename | Hash |
| C:UsersPuinCAudioJun.exe | b6a4f4097367d90124f51154d8750eaO363812d5b
addeObaf9C5f183bb53dd24 |
| C:UsersPublicAudioesx.zip | |
| C:UsersPuinoAudio7zG.exe | f21240e0bf9f0a391d514e34d4fa24ecb997d93937
9d2260ebce7c693€55f061 |
| C:UsersPublicAudioJun.exe | b6a4f4097367d90124f51154d8750€a036a812d5b
addeObaf9C5f183bb53dd24 |
| C:UsersPublicAudio72.dII | |
| C:UsersPubIicdb_Usr.sqI | 850161466666142122746333b936098b0f0541328 f37b5612b680466cd020206 |
| C:UsersPubIiCAudiodb_Usr.sqI | |
| C:UsersPublicAudiohv2.ps1 | |
| C:UsersPublicYzG.exe | |
| C:UsersPublic72.dII | |
| C:UsersPublicBitLogic.dII | |
| C:UsersPublicNetApp.exe | 40897334663916762f330bcbf773d534 |
| C:UsersPubIiCDataSoft.exe | 2642603770006632355718320b472870 |
| C:UsersPublicBitData.exe | b3f623dd47016d00d79003043b0b9526 |
| C:UsersPublicDigitaIT6xt.dII | |
| C:UsersPuinCGeniusMesh.exe | |
| D6viceMup{redacted}C$UsersPublicMusi cPROCEXP.sys | |
| D6viceMup{redacted}C$UsersPublicMusi
cDumpNPar5686.6xe |
|
| D6viceMup{redacted}C$UsersPublicMusi cPOSTDump.exe | |
| D6viceMup{redacted}C$UsersPublicMusi cDumpNParse.6xe | |
| C:UsersPublicsocksps.ps1 | |
| C:UsersPublicThief.exe | 034b5f6047920b2a69493451623633b14a85176f5
eeaOc7aadc1106a1730ee79 |
| C:UsersAII Users{r6dact6d}GWT.ps1
C:Program FilesMonitorITGWT.ps1 |
806882A794BA3D1480AE91BDF9C8D35728975
2A94118B5558418A36D95A5A45F |
| Winx86.6xe
Comment: alias for cmd.6xe |
|
| C:UsersPublicAudioJun.exe | b6a4f4097367d90124f51154d8750€a036a812d5b
addeObaf9C5f183bb53dd24 |
| C:UsersPubliceucr.exe | 3C65da7f7bfdaf93006445abbedd9046927d37bb96 3629f34af0338058680407 |
| C:WindowsDS_c1.dII | 808096Cb90b7de7792382706946ff481238029596
35a23bf9d98478ae6a259f9 |
| C:WindowsDS_c1.dII | 3a8ch7cad008eeb8be342452636a75415840303d
4ebff37934ae66f8298d936 |
| C:WindowsDS_c1.dII | 4ac69411ed124daO6ad66ee8bfbcea2f593b5b199 a2038496e1ee24f9d04f34a |
| C:WindowsDS_c1.dII | 8190b9bcf62be7666db5666a693524070b0df5890
58309b067191b30480b0033 |
| C:WindowsDS_c1.dII | 026a5cb62a780467cc6b6867c7093fbb7b1a96d92
121d4d603f0557ef90881eO |
| C:WindowsDS_c1.dII | d503090431fdd9909df3451d9b7305737c796da66 b800148b8dc71684623401f |
| *instructions_read_me.txt |
Known Black Basta Cobalt Strike Domains
| trailshop[.]net | 5/8/2024 6:37 |
| realbumblebee[.]net | 5/8/2024 6:37 |
| recentbee[.]net | 5/8/2024 6:37 |
| investrealtydom[.]net | 5/8/2024 6:37 |
| webnubee[.]com | 5/8/2024 6:37 |
| artspathgroup[.]net | 5/8/2024 6:37 |
| buyblocknow[.]com | 5/8/2024 6:37 |
| currentbee[.]net | 5/8/2024 6:37 |
| modernbeem[.]net | 5/8/2024 6:37 |
| startupbusinessZ4[.]net | 5/8/2024 6:37 |
| magentoengineers[.]com | 5/8/2024 6:37 |
| childrensdolls[.]com | 5/8/2024 6:37 |
| myfinancialexperts[.]com | 5/8/2024 6:37 |
| Iimitedtoday[.]com | 5/8/2024 6:37 |
| kekeoamigo[.]com | 5/8/2024 6:37 |
| nebraska-Iawyers[.]com | 5/8/2024 6:37 |
| tomlawcenter[.]com | 5/8/2024 6:37 |
| thesmartcloudusa[.]com | 5/8/2024 6:37 |
| rasapool[.]net | 5/8/2024 6:37 |
| artspathgroupe[.]net | 5/8/2024 6:37 |
| specialdrills[.]com | 5/8/2024 6:37 |
| thetrailbig[.]net | 5/8/2024 6:37 |
| consulheartinc[.]com | 3/22/2024 15:35 |
| otxcosmeticscare[.]oom | 13/15/2024 10:14 |
| otxcarecosmetics[.]oom | 13/15/2024 10:14 |
| artstrailman[.]com | 3/15/202410:14 |
| ontexcare[.]com | 3/15/202410:14 |
| trackgroup[.]net | 13/15/2024 10:14 |
| businessprofessionalIIc[.]com | 3/15/202410:14 |
| securecloudmanage[.]com | 3/7/2024 10:42 |
| oneblackwood[.]com | 3/7/2024 10:42 |
| buygreenstudio[.]com | 3/7/2024 10:42 |
| startupbuss[.]com | 3/7/2024 10:42 |
| onedogsclub[.]com | 3/4/2024 18:26 |
| wipresolutions[.]com | 3/4/2024 18:26 |
| recentbeelive[.]com | 3/4/2024 18:26 |
| trailcocompany[.]com | 3/4/2024 18:26 |
| trailcosolutions[.]com | 3/4/2024 18:26 |
| artstrailreviews[.]com | 3/4/2024 18:26 |
| usaglobalnews[.]com | 2/15/2024 5:56 |
| topglobaltv[.]com | 2/15/2024 5:56 |
| startupmartec[.]net | 2/15/2024 5:56 |
| technologgies[.]com | 1/2/2024 18:16 |
| jenshol[.]com | 1/2/2024 18:16 |
| simorten[.]com | 1/2/2024 18:16 |
| investmentgblog[.]net | 1/2/2024 18:16 |
| protectionek[.]com | 1/2/2024 18:16 |
Suspected Black Basta Domains
| airbusco[.]net |
| allcompanycenter[.]com |
| animalsfast[.]net |
| audsystemecll[.]net |
| auuditoe[.]com |
| bluenetworking[.]net |
| brendonline[.]com |
| businesforhome[.]com |
| caspercan[.]com |
| clearsystemwo[.]net |
| cloudworldst[.]net |
| constrtionfirst[.]com |
| erihudeg[.]com |
| garbagemoval[.]com |
| gartenlofti[.]com |
| getfnewsolutions[.]com |
| getfnewssolutions[.]com |
| investmendvisor[.]net |
| investmentrealtyhp[.]net |
| ionoslaba[.]com |
| jessvisser[.]com |
| karmafisker[.]oom |
| koIiniIeas[.]com |
| maluisepaul[.]com |
| masterunix[.]net |
| monitor-websystem[.]net |
| monitorsystem[.]net |
| mytrailinvest[.]net |
| prettyanimals[.]net |
| reelsysmoona[.]net |
| seohomee[.]com |
| septcntr[.]com |
| softradar[.]net |
| startupbizaud[.]net |
| startuptechnologyw[.]net |
| steamteamdev[.]net |
| stockinvestlab[.]net |
| taskthebox[.]net |
| trailgroupl[.]net |
| treeauwin[.]net |
| unitedfrom[.]com |
| unougn[.]com |
| wardeli[.]com |
| welausystem[.]net |
| wellsystemte[.]net |
| withclier[.]com |
Mitigation Strategies
To effectively counter cyber threats like Black Basta, organizations should implement comprehensive security measures. Key among these is the deployment of phishing-resistant multi-factor authentication (MFA). MFA should be rigorously applied not only on main systems but also on all ancillary access points to create multiple layers of security hurdles for potential attackers. In terms of remote access, securing connections is paramount; this can be achieved by implementing robust VPN solutions with strong encryption standards, coupled with stringent access controls that verify user identities and restrict access based on predefined roles. Additionally, network defenses need to be fortified. This includes the deployment of advanced firewalls, intrusion detection systems, and conducting regular security audits to detect vulnerabilities early. Regular penetration testing can also simulate attack scenarios to test the effectiveness of existing security measures. Engaging specialized incident response firms enhances these strategies by providing expert analysis and rapid response capabilities, ensuring that breaches can be contained quickly and efficiently while also facilitating recovery and learning from incidents to strengthen future defenses.
Conclusion
The rapid ascent of Black Basta as a formidable ransomware threat underscores the critical need for targeted and robust cybersecurity measures. To effectively counter this specific threat, organizations must prioritize the implementation of advanced security protocols such as phishing-resistant multi-factor authentication and encrypted remote access. Additionally, it’s crucial to enhance network defenses through comprehensive monitoring, frequent security audits, and employing adaptive firewalls and intrusion detection systems tailored to the unique signatures of Black Basta. Engaging with expert incident response teams will also ensure rapid containment and recovery, providing essential insights into strengthening defenses against future attacks. Our recommendation is to maintain an aggressive posture in cybersecurity hygiene and threat intelligence to stay ahead of ransomware groups like Black Basta, adapting swiftly to their evolving tactics and techniques.
Source for this article: The Cybersecurity and Infrastructure Security Agency (CISA) [advisory page](https://www.cisa.gov/news-events/alerts/2024/05/10/cisa-and-partners-release-advisory-black-basta-ransomware).
