Black Basta

Black Basta’s operational methods highlight their adaptability and willingness to exploit both technical vulnerabilities and human factors to achieve their goals. Understanding these tactics can help organizations bolster their defenses against such sophisticated threats.

Is Your Organization Safe from Black Basta's Attacks?

The origin of Black Basta

Black Basta is a ransomware-as-a-service (RaaS) variant first identified in April 2022. The group operates by encrypting and exfiltrating data from their victims, and they have been active across North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally, including at least 12 out of 16 critical infrastructure sectors, with a significant focus on the Healthcare and PublicHealth (HPH) Sector.

Some researchers speculate that Black Basta could be related to other criminal groups like FIN7 and Conti, based on similarities in tactics, techniques, and procedures (TTPs).

Source: OCD

Targets

Blackbasta's targets

Countries targeted by Blackbasta

Black Basta's operations span multiple regions, with significant incidents reported in the United States, Germany, the United Kingdom, Canada, and Australia. These regions are often targeted due to their high-value industries and critical infrastructure.

Graph source: Incibe

Industries targeted by Blackbasta

Black Basta has targeted a wide range of industries, notably the Healthcare and Public Health (HPH) sector due to its critical nature and reliance on technology. Other affected sectors include finance, manufacturing, and information technology.

Graph source: SocRadar

Industries targeted by Blackbasta

Black Basta has targeted a wide range of industries, notably the Healthcare and Public Health (HPH) sector due to its critical nature and reliance on technology. Other affected sectors include finance, manufacturing, and information technology.

Graph source: SocRadar

Blackbasta's victims

While specific names of recent victims might not always be publicly available due to privacy and security concerns, we count more than 439 victims including major companies and institutions in the sectors mentioned above. Recent reports have indicated attacks on healthcare systems, large manufacturing firms, and financial institutions.

Source: ransomware.live

Attack Method

Blackbasta's attack method

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

Black Basta affiliates typically use spearphishing emails and exploit known vulnerabilities such as CVE-2024-1709. They have also been known to abuse valid credentials to gain initial access. malware.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

Tools like Mimikatz are used for credential scraping, while vulnerabilities such as ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278, CVE-2021-42287), and PrintNightmare (CVE-2021-34527) are exploited to escalate privileges.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

The group employs masquerading tactics by using innocuous file names, such as Intel or Dell. They also deploy tools likeBackstab to disable endpoint detection and response (EDR) systems, and use PowerShell to disable antivirus products.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.

Black Basta affiliates use credential scraping tools like Mimikatz and exploit known vulnerabilities to gain administrative access and escalate privileges within the network.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

Network scanning tools such as SoftPerfect Network Scanner are used to map out the network and identify key systems and data stores.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.

The group uses tools like BITSAdmin, PsExec, Remote Desktop Protocol (RDP), Splashtop, ScreenConnect, and Cobalt Strike to move laterally across networks.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.

Before encryption, data is collected and prepared for exfiltration. This may involve compressing files or staging data in preparation for transfer.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.

Before encryption, data is collected and prepared for exfiltration. This may involve compressing files or staging data in preparation for transfer.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.

Tools such as RClone are used to exfiltrate data to actor-controlled servers. This data is often used as leverage to pressure victims into paying the ransom.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

The ransomware encrypts files using a ChaCha20 algorithm with an RSA-4096 public key, adding a .basta or random extension to file names. Ransom notes left on compromised systems instruct victims to contact the group via a Tor site.

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.
Initial Access

Black Basta affiliates typically use spearphishing emails and exploit known vulnerabilities such as CVE-2024-1709. They have also been known to abuse valid credentials to gain initial access. malware.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.
Privilege Escalation

Tools like Mimikatz are used for credential scraping, while vulnerabilities such as ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278, CVE-2021-42287), and PrintNightmare (CVE-2021-34527) are exploited to escalate privileges.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.
Defense Evasion

The group employs masquerading tactics by using innocuous file names, such as Intel or Dell. They also deploy tools likeBackstab to disable endpoint detection and response (EDR) systems, and use PowerShell to disable antivirus products.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.
Credential Access

Black Basta affiliates use credential scraping tools like Mimikatz and exploit known vulnerabilities to gain administrative access and escalate privileges within the network.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.
Discovery

Network scanning tools such as SoftPerfect Network Scanner are used to map out the network and identify key systems and data stores.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.
Lateral Movement

The group uses tools like BITSAdmin, PsExec, Remote Desktop Protocol (RDP), Splashtop, ScreenConnect, and Cobalt Strike to move laterally across networks.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
Collection

Before encryption, data is collected and prepared for exfiltration. This may involve compressing files or staging data in preparation for transfer.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
Execution

Before encryption, data is collected and prepared for exfiltration. This may involve compressing files or staging data in preparation for transfer.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.
Exfiltration

Tools such as RClone are used to exfiltrate data to actor-controlled servers. This data is often used as leverage to pressure victims into paying the ransom.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.
Impact

The ransomware encrypts files using a ChaCha20 algorithm with an RSA-4096 public key, adding a .basta or random extension to file names. Ransom notes left on compromised systems instruct victims to contact the group via a Tor site.

MITRE ATT&CK Mapping

TTPs used by Black Basta

Black Basta employs various TTPs aligned with the MITRE ATT&CK framework. Some of the key TTPs include:

TA0001: Initial Access
T1566
Phishing
T1190
Exploit Public-Facing Application
T1078
Valid Accounts
TA0002: Execution
T1059
Command and Scripting Interpreter
TA0003: Persistence
T1543
Create or Modify System Process
T1547
Boot or Logon Autostart Execution
T1078
Valid Accounts
T1053
Scheduled Task/Job
TA0004: Privilege Escalation
T1543
Create or Modify System Process
T1068
Exploitation for Privilege Escalation
T1547
Boot or Logon Autostart Execution
T1078
Valid Accounts
T1053
Scheduled Task/Job
TA0005: Defense Evasion
T1027
Obfuscated Files or Information
T1562
Impair Defenses
T1078
Valid Accounts
TA0006: Credential Access
T1110
Brute Force
T1056
Input Capture
T1003
OS Credential Dumping
TA0007: Discovery
T1082
System Information Discovery
TA0008: Lateral Movement
T1077
Remote Services: SMB/Windows Admin Shares
TA0009: Collection
T1005
Data from Local System
TA0011: Command and Control
No items found.
TA0010: Exfiltration
T1041
Exfiltration Over C2 Channel
T1020
Automated Exfiltration
TA0040: Impact
T1485
Data Destruction
T1486
Data Encrypted for Impact
Platform Detections

How to Detect Black Basta with Vectra AI

List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.

FAQs

What is Blackbasta Ransomware?

Blackbasta is a sophisticated ransomware group that emerged in April 2022. They use double extortion tactics, encrypting victims' data and threatening to release sensitive information if the ransom is not paid.

How does Blackbasta typically gain initial access to a network?

Blackbasta often gains initial access through phishing emails containing malicious attachments or links, exploiting vulnerabilities in public-facing applications, and using malicious advertisements or drive-by downloads.

What industries are most frequently targeted by Blackbasta?

Blackbasta targets a wide range of industries, including healthcare, manufacturing, finance, legal, education, government, and information technology.

Which countries are most affected by Blackbasta attacks?

Blackbasta primarily targets organizations in the United States, Canada, United Kingdom, Germany, France, and Australia, though they have a global reach.

What are some of the known tactics, techniques, and procedures (TTPs) used by Blackbasta?

Blackbasta employs various TTPs such as phishing (T1566), command and scripting interpreter (T1059), credential dumping (T1003), disabling security tools (T1562), and data encrypted for impact (T1486).

How does Blackbasta escalate privileges within a compromised network?

Blackbasta escalates privileges by exploiting unpatched software vulnerabilities and using tools like Mimikatz to extract credentials from memory.

What methods does Blackbasta use to evade detection?

Blackbasta uses obfuscation techniques, disables security tools, employs living off the land (LotL) tactics, and utilizes legitimate software and tools to evade detection.

How does Blackbasta move laterally within a network?

Blackbasta uses Remote Desktop Protocol (RDP), Windows Management Instrumentation (WMI), and remote services to move laterally within a network.

What are the typical stages of a Blackbasta ransomware attack?

The stages include initial access, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, execution, exfiltration, and impact.

What preventive measures can organizations take to protect against Blackbasta ransomware?

Organizations can protect against Blackbasta by implementing robust email filtering, patching vulnerabilities promptly, using multi-factor authentication, conducting regular security training for employees, monitoring for unusual activity, maintaining up-to-date backups, and deploying Extended Detection and Response (XDR) systems to identify and respond to threats quickly.