Skip to main content

The Black Basta ransomware has rapidly become a prominent cybersecurity threat, impacting over 500 organizations worldwide across various sectors. This ransomware is particularly notable for its broad targeting strategy and sophisticated execution. It penetrates systems through phishing and exploits, after which it encrypts data and demands a ransom. This detailed article delves into the operational tactics of Black Basta, provides an analysis of its attack patterns, and lists critical Indicators of Compromise (IOCs) that can help in its detection and prevention, aiming to equip entities with the necessary knowledge to defend against such insidious attacks.

Modus Operandi

The Black Basta ransomware group employs a Ransomware-as-a-Service (RaaS) strategy, making it a formidable adversary in the cyber landscape. Their operations begin with sophisticated phishing schemes and the exploitation of known security vulnerabilities to gain unauthorized access to target networks. Once inside, they quickly exfiltrate sensitive data, positioning themselves to make credible threats of leaking this data unless their ransom demands are met. Communication with victims is meticulously managed through the use of unique codes and secure links, maintaining anonymity. Typically, victims are pressured into paying the ransom within a narrow window of 10-12 days, under the threat that their stolen data will be publicly released or sold if they fail to comply. This modus operandi highlights the group’s emphasis on speed and secrecy to maximize the impact of their attacks and the likelihood of ransom payment.

Notable Incidents and Targets

The Black Basta ransomware group has strategically targeted high-profile organizations across various sectors, emphasizing their focus on both impact and visibility. Their operations have disrupted major healthcare providers and critical infrastructure in the U.S., sectors known for holding sensitive data and requiring high uptime. The group’s reach extends beyond national borders with attacks on international corporations like Dish Network, the American Dental Association, Capita in the UK, and the German defense manufacturer Rheinmetall, underscoring their capability to infiltrate diverse and highly secured environments. These incidents highlight the extensive preparation and precision of Black Basta’s operations, aimed at maximizing disruption and ransom potential.

Technical Analysis

In their technical operations, the Black Basta ransomware group has demonstrated a high level of sophistication by exploiting specific, critical vulnerabilities such as CVE-2024-1709 found in ConnectWise’s ScreenConnect. This particular vulnerability allowed for remote code execution, providing the attackers with the ability to gain remote access to an infected system. By exploiting such vulnerabilities, Black Basta could bypass traditional security measures, gaining control over systems without needing physical access or user interaction. This capability made ConnectWise’s ScreenConnect a popular target not only for Black Basta but also for other ransomware groups, illustrating the widespread impact of this security flaw.

Lateral Movement

In their lateral movement tactics, Black Basta affiliates leverage tools like BITSAdmin and PsExec, complemented by Remote Desktop Protocol (RDP), to navigate through compromised networks. Additionally, they utilize remote access tools such as Splashtop and Screen Connect, along with Cobalt Strike beacons, to facilitate movement and maintain access across networked systems. 

Exfiltration& Encryption

In the process of attack execution, Black Basta affiliates initially employ RCIone to extract data before launching encryption procedures. They use PowerShell scripts to deactivate antivirus programs, and sometimes deploy a specialized tool named Backstab to disable endpoint detection and response (EDR) systems. Following the deactivation of security systems, the ChaCha20 encryption algorithm, augmented by an RSA-4096 public key, is used to encrypt files, which are then marked with a “.basta” or a random extension. A ransom note titled “readme.txt” is placed on the system. To hinder recovery efforts, the group utilizes the vssadmin.exe command to erase volume shadow copies.

 

Indicators of Compromise (IOCs)

 

 

Malicious Files Associated with Black Basta Ransomware

Hash Descri ation
0112e3b20872760dda5f658f6b546085f126e803627f0577b294f335ffa5a298 rclone.exe
d3683beca3a40574e5fd68d30451137e4aBbbaca80428ebb781d565d63703856 Winscpexe
8808b47210860d79d16a163449901b45048a10a38€e799054414613009dCCCCC DLL
58ddbea084ce180fb3439219ebcf2f0501605d2f6271610b1c7af77b8d0484bd DLL
39939eaCfb020a26070649944976368860900d97b25926478434f46095bd8ead DLL
5b217807a0fd69ab000ef041f446e04098bbb397946eda3f6755f9d94d530221 DLL
51eb749d6de08baf9d4302f833bd9d4d86eb5206f62ba43b768251a98ce9d3e DLL
d15bfbc181aa080e9faa0502063ef4695009b718596f43ed081ca02ef03110d1 DLL
5942143614d8ed34567ea47202b819777edd25000b361b13b1ae98d7f9e28d43 DLL
056bae760340fe44362ab768f70b2d89d609b39b9ee839f747b2f19d326c3431 DLL
a7b36482b35bca7a143a795074c432ed627d6af35bc64d697fa660faa852f1a6 DLL
86a4dd6be867846b251460d230874e6413589878d27f204482b54cec13400737 DLL
O7117002309410f47a326b5207f17407e63ba5e6ff97277446ef075b862d2799 DLL
9633937e87ff0€608d247feb9b40b7005b830a31597639522155bad726b8e5be ELF
101 b2d7f790750d60a14bd661dae505565f00060a7d03d062adce0da807e1 779 ELF
3600908f0a62010d455f35588ef27817ad35071535f291e434490860b1986b98 ELF
05546b2f‘fa3582b000d558b695060606876f1259041acff2ea047ab78a53e94a EXE
9a55f55886285eef7ffabdd5500232d1458175b1d868003d3e3040e7d98980b0 EXE
62e63388953bb30669b403867a3a02081303320f78133f7fd4a7f230d0939087 EXE
7ad4324ea241782ea859af12094f89f93182236542627e95b641608fb9757059 EXE
350ba7fca67721c74385faff083914ecdd66ef107a765dfb7a008b38d50900bd EXE
90ba27750a04d1308115fa6a90f36503398a8f528097405ad007ae8a6cd630e7 EXE
fafaf’f3d665b26b50057e64b4238980589debOdff0501497a050be1b091b3e08 EXE

 

Hash Descri ation
acb60f0dd19a9a263aaefd3326db8028f546b6b0182ed2d0023170bcb0af6d8f EXE
d73f6e240766ddd603016eff8db50794ab8ab9506a616d4ab2bc96780f13464d EXE
f039eaaced72618eaba699d2985f9610d252305f685d6090217b45b0803614f4 EXE
723d1cf3d74fb30695a77ed9dff257a7808af8€67a82963230dd073781074224 EXE
ae70868713e1d02b4db601280651eb1e3f6a33002544cc4cb5703a3606581b6e EXE
fff35c2d367eef6f1a100585b427a03287f06f4e4460542207abcd62264e435f EXE
df5b004be7171736266b1ad22072fgee4113b95b5d780496a90857977a9fb415 EXE
462bbb8fd7be981293a73efa91e2d88fa90afc7b47431b8227d1957f5d008ba7 EXE
3C50f6369f0938f42d47db29a1f3986754acb238d96fd4b366246a0200b8250a EXE
5d2204f3320e163120f52a2e3595db19890050b2faa9606cb36b094b0a52b0aa EXE
37a50d265f7f555f2f6320368d70553b7aa9601981212921d1a0201 14e662004 EXE
3090a37e591554d7406107df87b3d021bd3059df0b066244eSabef6356783f35 EXE
17879ed4802a2€324d4f5175112f51b75f4383b100b8833082€6ddb7cd817f20 EXE
42f05f5d4a2617b7anbc601dd60053bf974f9a337a8fcc51f9338b108811b78 EXE
882019d1024778613841db975d5e60aaae1482fcf86ba66968193680e980d7d3 EXE
6281886516db1bd89015C30de5932691996b67C2€2b4498986b0f562577fd757 EXE
0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e EXE
69192821f8064561Cf9c9cb494a1335841791160b267409bea3e189013103944 EXE
3337a7a900dd06acdd6e3cf4af40d871172d030696fc48787b5743093689622a EXE
17205043189022dfcb278f5cc45c2562f622b0b6280dcd43001d3c274095eb90 EXE
b32daf27aa392d26bdf5faafbaae6b21cd60918d461ff59f548a73d447a96dd9 EXE

Network Indicators

66.249.66[.]18 ngw.588027fa.dns.realbumblebee[.]net, dns.trailshop[.]net, dns.artspathgroupe[.]net
66.249.66[.]18 fy9.39d903085d33882352daa62f4cd30417b36f64c6644a783b9629147a1.
afd8b8a4615358e0313bad80544a1ade8efcecOe80560208eee96c7.b06
d182500247387638851b06b60272b0bd619b709636bc17b093a70.a4689
0f27.588027fa.dns.realbumblebee[.]net
95.181.173[.]227 adslsdfdsfmo[.]world
fy9.36c44903529fa273afff309b7ef323432e223d22ae1d62504a3957d57.0 15C16eff32356bf56604fd359006ff9b2f6e8c587444ecbfc4bcae7.f71995af’f 9e6f22f8daff69d2ad9050ab0928b8f93bb0d42682fd303.445d62118.58802 7fa.dns.realbumblebee[.]net
207.126.152[.]242 kaal.d6597fa.dns.bIOthoday.net nuher.3577125d2a75f6a277fc5714ff5360506af5283d928a66daad6825b9      a.7aaf8bba88534e88e089251C57b01b32207f5207f1a5338930a62a50.cb

b47411f60f658f76cf79d300003bdecfb9e83379f59d80b8494951.e10020f7

7.7fccOeb6.dns.blocktoday[.]net

72.14.196[.]50 .rasapool[.]net, dns.trai|shop[.]net
72.14.196[.]192 .rasapool[.]net
72.14.196[.]2 .rasapool[.]net
72.14.196[.]226 .rasapool[.]net
46.161.27[.]151
207.126.152[.]242 nuher.1d67bbcf4.456d87aa6.2d84dfba.dnS.SpeCia|driIIS[.]Com
185.219.221[.]136
64.176.219[.]106
5.78.115[.]67 your-server[.]de
207.126.152[.]242 xkpaI.1a4a64b6.dns.blocktoday[.]net
46.8.16[.]77
185.7.214[.]79 VPN Server
185.220.100[.]240 Tor exit
107.189.30[.]69 Tor exit
5.183.130[.]92
185.220.101[.]149 Tor exit
188.130.218[.]39

 

188.130.137[.]181
46.8.10[.]134
155.138.246[.]122
80.239.207[.]200 Winklen[.]ch
183.181.86[.]147 Xserver[.]jp
34.149.120[.]3
104.21.40[.]72
34.250.161[.]149
88.198.198[.]90 your-server[.]de; Iiteroved[.]ru
151.101.130[.]159
35.244.153[.]44
35.212.86[.]55
34.251.163[.]236
34.160.81[.]203
34.149.36[.]179
104.21.26[.]145
83.243.40[.]10
35.227.194[.]51
35.190.31[.]54
34.120.190[.]48
116.203.186[.]178
34.160.17[.]71

 

File Indicators 

Filename Hash
C:\Users\PuinC\Audio\Jun.exe b6a4f4097367d90124f51154d8750eaO363812d5b

addeObaf9C5f183bb53dd24

C:\Users\Public\Audio\esx.zip
C:\Users\Puino\Audio\7zG.exe f21240e0bf9f0a391d514e34d4fa24ecb997d93937

9d2260ebce7c693€55f061

C:\Users\Public\Audio\Jun.exe b6a4f4097367d90124f51154d8750€a036a812d5b

addeObaf9C5f183bb53dd24

C:\Users\Public\Audio\72.dII
C:\Users\PubIic\db_Usr.sqI 850161466666142122746333b936098b0f0541328 f37b5612b680466cd020206
C:\Users\PubIiC\Audio\db_Usr.sqI
C:\Users\Public\Audio\hv2.ps1
C:\Users\Public\YzG.exe
C:\Users\Public\72.dII
C:\Users\Public\BitLogic.dII
C:\Users\Public\NetApp.exe 40897334663916762f330bcbf773d534
C:\Users\PubIiC\DataSoft.exe 2642603770006632355718320b472870
C:\Users\Public\BitData.exe b3f623dd47016d00d79003043b0b9526
C:\Users\Public\DigitaIT6xt.dII
C:\Users\PuinC\GeniusMesh.exe
\D6vice\Mup\{redacted}\C$\Users\Public\Musi c\PROCEXP.sys
\D6vice\Mup\{redacted}\C$\Users\Public\Musi

c\DumpNPar5686.6xe

\D6vice\Mup\{redacted}\C$\Users\Public\Musi c\POSTDump.exe
\D6vice\Mup\{redacted}\C$\Users\Public\Musi c\DumpNParse.6xe
C:\Users\Public\socksps.ps1
C:\Users\Public\Thief.exe 034b5f6047920b2a69493451623633b14a85176f5

eeaOc7aadc1106a1730ee79

C:\Users\AII Users\{r6dact6d}\GWT.ps1

C:\Program Files\MonitorIT\GWT.ps1

806882A794BA3D1480AE91BDF9C8D35728975

2A94118B5558418A36D95A5A45F

Winx86.6xe

Comment: alias for cmd.6xe

C:\Users\Public\Audio\Jun.exe b6a4f4097367d90124f51154d8750€a036a812d5b

addeObaf9C5f183bb53dd24

C:\Users\Public\eucr.exe 3C65da7f7bfdaf93006445abbedd9046927d37bb96 3629f34af0338058680407
C:\Windows\DS_c1.dII 808096Cb90b7de7792382706946ff481238029596

35a23bf9d98478ae6a259f9

C:\Windows\DS_c1.dII 3a8ch7cad008eeb8be342452636a75415840303d

4ebff37934ae66f8298d936

C:\Windows\DS_c1.dII 4ac69411ed124daO6ad66ee8bfbcea2f593b5b199 a2038496e1ee24f9d04f34a
C:\Windows\DS_c1.dII 8190b9bcf62be7666db5666a693524070b0df5890

58309b067191b30480b0033

C:\Windows\DS_c1.dII 026a5cb62a780467cc6b6867c7093fbb7b1a96d92

121d4d603f0557ef90881eO

C:\Windows\DS_c1.dII d503090431fdd9909df3451d9b7305737c796da66 b800148b8dc71684623401f
*\instructions_read_me.txt

 

Known Black Basta Cobalt Strike Domains

 

trailshop[.]net 5/8/2024 6:37
realbumblebee[.]net 5/8/2024 6:37
recentbee[.]net 5/8/2024 6:37
investrealtydom[.]net 5/8/2024 6:37
webnubee[.]com 5/8/2024 6:37
artspathgroup[.]net 5/8/2024 6:37
buyblocknow[.]com 5/8/2024 6:37
currentbee[.]net 5/8/2024 6:37
modernbeem[.]net 5/8/2024 6:37
startupbusinessZ4[.]net 5/8/2024 6:37
magentoengineers[.]com 5/8/2024 6:37

 

childrensdolls[.]com 5/8/2024 6:37
myfinancialexperts[.]com 5/8/2024 6:37
Iimitedtoday[.]com 5/8/2024 6:37
kekeoamigo[.]com 5/8/2024 6:37
nebraska-Iawyers[.]com 5/8/2024 6:37
tomlawcenter[.]com 5/8/2024 6:37
thesmartcloudusa[.]com 5/8/2024 6:37
rasapool[.]net 5/8/2024 6:37
artspathgroupe[.]net 5/8/2024 6:37
specialdrills[.]com 5/8/2024 6:37
thetrailbig[.]net 5/8/2024 6:37
consulheartinc[.]com 3/22/2024 15:35
otxcosmeticscare[.]oom 13/15/2024 10:14
otxcarecosmetics[.]oom 13/15/2024 10:14
artstrailman[.]com 3/15/202410:14
ontexcare[.]com 3/15/202410:14
trackgroup[.]net 13/15/2024 10:14
businessprofessionalIIc[.]com 3/15/202410:14
securecloudmanage[.]com 3/7/2024 10:42
oneblackwood[.]com 3/7/2024 10:42
buygreenstudio[.]com 3/7/2024 10:42
startupbuss[.]com 3/7/2024 10:42
onedogsclub[.]com 3/4/2024 18:26
wipresolutions[.]com 3/4/2024 18:26
recentbeelive[.]com 3/4/2024 18:26
trailcocompany[.]com 3/4/2024 18:26
trailcosolutions[.]com 3/4/2024 18:26
artstrailreviews[.]com 3/4/2024 18:26
usaglobalnews[.]com 2/15/2024 5:56

 

topglobaltv[.]com 2/15/2024 5:56
startupmartec[.]net 2/15/2024 5:56
technologgies[.]com 1/2/2024 18:16
jenshol[.]com 1/2/2024 18:16
simorten[.]com 1/2/2024 18:16
investmentgblog[.]net 1/2/2024 18:16
protectionek[.]com 1/2/2024 18:16

Suspected Black Basta Domains

 

airbusco[.]net
allcompanycenter[.]com
animalsfast[.]net
audsystemecll[.]net
auuditoe[.]com
bluenetworking[.]net
brendonline[.]com
businesforhome[.]com
caspercan[.]com
clearsystemwo[.]net
cloudworldst[.]net
constrtionfirst[.]com
erihudeg[.]com
garbagemoval[.]com
gartenlofti[.]com
getfnewsolutions[.]com
getfnewssolutions[.]com
investmendvisor[.]net
investmentrealtyhp[.]net
ionoslaba[.]com

 

jessvisser[.]com
karmafisker[.]oom
koIiniIeas[.]com
maluisepaul[.]com
masterunix[.]net
monitor-websystem[.]net
monitorsystem[.]net
mytrailinvest[.]net
prettyanimals[.]net
reelsysmoona[.]net
seohomee[.]com
septcntr[.]com
softradar[.]net
startupbizaud[.]net
startuptechnologyw[.]net
steamteamdev[.]net
stockinvestlab[.]net
taskthebox[.]net
trailgroupl[.]net
treeauwin[.]net
unitedfrom[.]com
unougn[.]com
wardeli[.]com
welausystem[.]net
wellsystemte[.]net
withclier[.]com

 

Mitigation Strategies

To effectively counter cyber threats like Black Basta, organizations should implement comprehensive security measures. Key among these is the deployment of phishing-resistant multi-factor authentication (MFA). MFA should be rigorously applied not only on main systems but also on all ancillary access points to create multiple layers of security hurdles for potential attackers. In terms of remote access, securing connections is paramount; this can be achieved by implementing robust VPN solutions with strong encryption standards, coupled with stringent access controls that verify user identities and restrict access based on predefined roles. Additionally, network defenses need to be fortified. This includes the deployment of advanced firewalls, intrusion detection systems, and conducting regular security audits to detect vulnerabilities early. Regular penetration testing can also simulate attack scenarios to test the effectiveness of existing security measures. Engaging specialized incident response firms enhances these strategies by providing expert analysis and rapid response capabilities, ensuring that breaches can be contained quickly and efficiently while also facilitating recovery and learning from incidents to strengthen future defenses.

 

Conclusion

The rapid ascent of Black Basta as a formidable ransomware threat underscores the critical need for targeted and robust cybersecurity measures. To effectively counter this specific threat, organizations must prioritize the implementation of advanced security protocols such as phishing-resistant multi-factor authentication and encrypted remote access. Additionally, it’s crucial to enhance network defenses through comprehensive monitoring, frequent security audits, and employing adaptive firewalls and intrusion detection systems tailored to the unique signatures of Black Basta. Engaging with expert incident response teams will also ensure rapid containment and recovery, providing essential insights into strengthening defenses against future attacks. Our recommendation is to maintain an aggressive posture in cybersecurity hygiene and threat intelligence to stay ahead of ransomware groups like Black Basta, adapting swiftly to their evolving tactics and techniques.

 

 

 

Source for this article: The Cybersecurity and Infrastructure Security Agency (CISA) [advisory page](https://www.cisa.gov/news-events/alerts/2024/05/10/cisa-and-partners-release-advisory-black-basta-ransomware).