blog.minerva-labs.com
Open in
urlscan Pro
2606:2c40::c73c:67e2
Public Scan
URL:
https://blog.minerva-labs.com/new-black-basta-ransomware-hijacks-windows-fax-service
Submission: On May 31 via api from US — Scanned from DE
Submission: On May 31 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1903456/f9af80dc-2f7c-42b0-bff2-c78565d18e42
<form novalidate="" accept-charset="UTF-8" action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1903456/f9af80dc-2f7c-42b0-bff2-c78565d18e42" enctype="multipart/form-data"
id="hsForm_f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" method="POST"
class="hs-form stacked hs-custom-form hs-form-private hsForm_f9af80dc-2f7c-42b0-bff2-c78565d18e42 hs-form-f9af80dc-2f7c-42b0-bff2-c78565d18e42 hs-form-f9af80dc-2f7c-42b0-bff2-c78565d18e42_c79a9d56-1645-469a-b37a-2ab8c15a2ff8"
data-form-id="f9af80dc-2f7c-42b0-bff2-c78565d18e42" data-portal-id="1903456" target="target_iframe_f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" data-reactid=".hbspt-forms-1">
<fieldset class="form-columns-1" data-reactid=".hbspt-forms-1.1:$0">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-1.1:$0.1:$firstname"><label id="label-firstname-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" class="" placeholder="Enter your "
for="firstname-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" data-reactid=".hbspt-forms-1.1:$0.1:$firstname.0"><span data-reactid=".hbspt-forms-1.1:$0.1:$firstname.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$0.1:$firstname.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$0.1:$firstname.$firstname"><input id="firstname-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" class="hs-input" type="text" name="firstname" required="" value="" placeholder="First Name*"
autocomplete="given-name" data-reactid=".hbspt-forms-1.1:$0.1:$firstname.$firstname.0" inputmode="text"></div>
</div>
</fieldset>
<fieldset class="form-columns-1" data-reactid=".hbspt-forms-1.1:$1">
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-1.1:$1.1:$lastname"><label id="label-lastname-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" class="" placeholder="Enter your "
for="lastname-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" data-reactid=".hbspt-forms-1.1:$1.1:$lastname.0"><span data-reactid=".hbspt-forms-1.1:$1.1:$lastname.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$1.1:$lastname.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$1.1:$lastname.$lastname"><input id="lastname-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" class="hs-input" type="text" name="lastname" required="" value="" placeholder="Last Name*"
autocomplete="family-name" data-reactid=".hbspt-forms-1.1:$1.1:$lastname.$lastname.0" inputmode="text"></div>
</div>
</fieldset>
<fieldset class="form-columns-1" data-reactid=".hbspt-forms-1.1:$2">
<div class="hs_company hs-company hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-1.1:$2.1:$company"><label id="label-company-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" class="" placeholder="Enter your "
for="company-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" data-reactid=".hbspt-forms-1.1:$2.1:$company.0"><span data-reactid=".hbspt-forms-1.1:$2.1:$company.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$2.1:$company.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$2.1:$company.$company"><input id="company-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" class="hs-input" type="text" name="company" required="" value="" placeholder="Organization*"
autocomplete="organization" data-reactid=".hbspt-forms-1.1:$2.1:$company.$company.0" inputmode="text"></div>
</div>
</fieldset>
<fieldset class="form-columns-1" data-reactid=".hbspt-forms-1.1:$3">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-1.1:$3.1:$email"><label id="label-email-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" class="" placeholder="Enter your "
for="email-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" data-reactid=".hbspt-forms-1.1:$3.1:$email.0"><span data-reactid=".hbspt-forms-1.1:$3.1:$email.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$3.1:$email.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$3.1:$email.$email"><input id="email-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" class="hs-input" type="email" name="email" required="" placeholder="Email*" value="" autocomplete="email"
data-reactid=".hbspt-forms-1.1:$3.1:$email.$email.0" inputmode="email"></div>
</div>
</fieldset>
<fieldset class="form-columns-2" data-reactid=".hbspt-forms-1.1:$4">
<div class="hs_utm_medium hs-utm_medium hs-fieldtype-text field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-1.1:$4.1:$utm_medium"><label id="label-utm_medium-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" class=""
placeholder="Enter your UTM_medium" for="utm_medium-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" data-reactid=".hbspt-forms-1.1:$4.1:$utm_medium.0"><span data-reactid=".hbspt-forms-1.1:$4.1:$utm_medium.0.0">UTM_medium</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$4.1:$utm_medium.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$4.1:$utm_medium.$utm_medium"><input name="utm_medium" class="hs-input" type="hidden" value="" data-reactid=".hbspt-forms-1.1:$4.1:$utm_medium.$utm_medium.0"></div>
</div>
<div class="hs_utm_content hs-utm_content hs-fieldtype-text field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-1.1:$4.1:$utm_content"><label id="label-utm_content-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" class=""
placeholder="Enter your UTM_content" for="utm_content-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" data-reactid=".hbspt-forms-1.1:$4.1:$utm_content.0"><span data-reactid=".hbspt-forms-1.1:$4.1:$utm_content.0.0">UTM_content</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$4.1:$utm_content.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$4.1:$utm_content.$utm_content"><input name="utm_content" class="hs-input" type="hidden" value="" data-reactid=".hbspt-forms-1.1:$4.1:$utm_content.$utm_content.0"></div>
</div>
</fieldset>
<fieldset class="form-columns-2" data-reactid=".hbspt-forms-1.1:$5">
<div class="hs_utm_source hs-utm_source hs-fieldtype-text field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-1.1:$5.1:$utm_source"><label id="label-utm_source-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" class=""
placeholder="Enter your UTM_source" for="utm_source-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" data-reactid=".hbspt-forms-1.1:$5.1:$utm_source.0"><span data-reactid=".hbspt-forms-1.1:$5.1:$utm_source.0.0">UTM_source</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$5.1:$utm_source.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$5.1:$utm_source.$utm_source"><input name="utm_source" class="hs-input" type="hidden" value="" data-reactid=".hbspt-forms-1.1:$5.1:$utm_source.$utm_source.0"></div>
</div>
<div class="hs_utm_campaign hs-utm_campaign hs-fieldtype-text field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-1.1:$5.1:$utm_campaign"><label id="label-utm_campaign-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" class=""
placeholder="Enter your UTM_campaign" for="utm_campaign-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" data-reactid=".hbspt-forms-1.1:$5.1:$utm_campaign.0"><span data-reactid=".hbspt-forms-1.1:$5.1:$utm_campaign.0.0">UTM_campaign</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$5.1:$utm_campaign.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$5.1:$utm_campaign.$utm_campaign"><input name="utm_campaign" class="hs-input" type="hidden" value="" data-reactid=".hbspt-forms-1.1:$5.1:$utm_campaign.$utm_campaign.0"></div>
</div>
</fieldset>
<fieldset class="form-columns-1" data-reactid=".hbspt-forms-1.1:$6">
<div class="hs_record_type_temp hs-record_type_temp hs-fieldtype-select field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-1.1:$6.1:$record_type_temp"><label id="label-record_type_temp-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607"
class="" placeholder="Enter your Record Type" for="record_type_temp-f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" data-reactid=".hbspt-forms-1.1:$6.1:$record_type_temp.0"><span data-reactid=".hbspt-forms-1.1:$6.1:$record_type_temp.0.0">Record
Type</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$6.1:$record_type_temp.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$6.1:$record_type_temp.$record_type_temp"><input name="record_type_temp" class="hs-input" type="hidden" value="0120Y000000EeX5QAK"
data-reactid=".hbspt-forms-1.1:$6.1:$record_type_temp.$record_type_temp.0"></div>
</div>
</fieldset>
<fieldset class="form-columns-1" data-reactid=".hbspt-forms-1.1:$7">
<div class="hs_request_a_demo_form_submission hs-request_a_demo_form_submission hs-fieldtype-booleancheckbox field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-1.1:$7.1:$request_a_demo_form_submission">
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$7.1:$request_a_demo_form_submission.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$7.1:$request_a_demo_form_submission.$request_a_demo_form_submission"><input name="request_a_demo_form_submission" class="hs-input" type="hidden" value="true"
data-reactid=".hbspt-forms-1.1:$7.1:$request_a_demo_form_submission.$request_a_demo_form_submission.0"></div>
</div>
</fieldset>
<fieldset class="form-columns-0" data-reactid=".hbspt-forms-1.1:$8">
<div class="hs-richtext hs-main-font-element" data-reactid=".hbspt-forms-1.1:$8.0">
<p><span lang="EN-US">*</span><span>Your data will be processed in our systems in accordance with our <a href="https://minerva-labs.com/privacy-policy" rel="noopener">Privacy Policy</a>.</span></p>
</div>
</fieldset><noscript data-reactid=".hbspt-forms-1.2"></noscript>
<div class="hs_submit hs-submit" data-reactid=".hbspt-forms-1.5">
<div class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.5.0"></div>
<div class="actions" data-reactid=".hbspt-forms-1.5.1"><input type="submit" value="Submit" class="hs-button primary large" data-reactid=".hbspt-forms-1.5.1.0"></div>
</div><noscript data-reactid=".hbspt-forms-1.6"></noscript><input name="hs_context" type="hidden"
value="{"rumScriptExecuteTime":821.5999999046326,"rumServiceResponseTime":1032.7999997138977,"rumFormRenderTime":1.299999713897705,"rumTotalRenderTime":1069.2999997138977,"rumTotalRequestTime":209.7999997138977,"renderRawHtml":"true","embedAtTimestamp":"1654014314746","formDefinitionUpdatedAt":"1637851660150","pageUrl":"https://blog.minerva-labs.com/new-black-basta-ransomware-hijacks-windows-fax-service","pageTitle":"New Black Basta Ransomware Hijacks Windows Fax Service","source":"FormsNext-static-5.502","sourceName":"FormsNext","sourceVersion":"5.502","sourceVersionMajor":"5","sourceVersionMinor":"502","timestamp":1654014314746,"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36","originalEmbedContext":{"portalId":"1903456","formId":"f9af80dc-2f7c-42b0-bff2-c78565d18e42","formInstanceId":"7607","pageId":"72428371346","region":"na1","pageName":"New Black Basta Ransomware Hijacks Windows Fax Service","redirectUrl":"https://minerva-labs.com/thank-you","target":"#hs_form_target_module_1617728367780998","contentType":"blog-post","formsBaseUrl":"/_hcms/forms/","formData":{"cssClass":"hs-form stacked hs-custom-form"}},"canonicalUrl":"https://blog.minerva-labs.com/new-black-basta-ransomware-hijacks-windows-fax-service","pageId":"72428371346","pageName":"New Black Basta Ransomware Hijacks Windows Fax Service","boolCheckBoxFields":"request_a_demo_form_submission","redirectUrl":"https://minerva-labs.com/thank-you","formInstanceId":"7607","renderedFieldsIds":["firstname","lastname","company","email"],"formTarget":"#hs_form_target_module_1617728367780998","correlationId":"2673dadc-8b5e-46d5-8d01-b5b9a3cf6cff","contentType":"blog-post","hutk":"6353789d3d1d39582c1b1585794640e6","captchaStatus":"NOT_APPLICABLE","isHostedOnHubspot":true}"
data-reactid=".hbspt-forms-1.7"><iframe name="target_iframe_f9af80dc-2f7c-42b0-bff2-c78565d18e42_7607" style="display:none;" data-reactid=".hbspt-forms-1.8"></iframe>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1903456/32e6cc55-79e9-48c8-ab17-6c8df464e74e
<form novalidate="" accept-charset="UTF-8" action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1903456/32e6cc55-79e9-48c8-ab17-6c8df464e74e" enctype="multipart/form-data"
id="hsForm_32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" method="POST"
class="hs-form stacked hs-form-private hsForm_32e6cc55-79e9-48c8-ab17-6c8df464e74e hs-form-32e6cc55-79e9-48c8-ab17-6c8df464e74e hs-form-32e6cc55-79e9-48c8-ab17-6c8df464e74e_b8800840-3006-435b-95f3-5ef31105e08f"
data-form-id="32e6cc55-79e9-48c8-ab17-6c8df464e74e" data-portal-id="1903456" target="target_iframe_32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" data-reactid=".hbspt-forms-0">
<fieldset class="form-columns-1" data-reactid=".hbspt-forms-0.1:$0">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$0.1:$email"><label id="label-email-32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" class="" placeholder="Enter your "
for="email-32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" data-reactid=".hbspt-forms-0.1:$0.1:$email.0"><span data-reactid=".hbspt-forms-0.1:$0.1:$email.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$0.1:$email.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$0.1:$email.$email"><input id="email-32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" class="hs-input" type="email" name="email" required="" placeholder="Email*" value="" autocomplete="email"
data-reactid=".hbspt-forms-0.1:$0.1:$email.$email.0" inputmode="email"></div>
</div>
</fieldset>
<fieldset class="form-columns-1" data-reactid=".hbspt-forms-0.1:$1">
<div class="hs_blog_default_hubspot_blog_5277286107_subscription hs-blog_default_hubspot_blog_5277286107_subscription hs-fieldtype-radio field hs-form-field" style="display:none;"
data-reactid=".hbspt-forms-0.1:$1.1:$blog_default_hubspot_blog_5277286107_subscription"><label id="label-blog_default_hubspot_blog_5277286107_subscription-32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" class=""
placeholder="Enter your Notification Frequency" for="blog_default_hubspot_blog_5277286107_subscription-32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" data-reactid=".hbspt-forms-0.1:$1.1:$blog_default_hubspot_blog_5277286107_subscription.0"><span
data-reactid=".hbspt-forms-0.1:$1.1:$blog_default_hubspot_blog_5277286107_subscription.0.0">Notification Frequency</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$1.1:$blog_default_hubspot_blog_5277286107_subscription.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$1.1:$blog_default_hubspot_blog_5277286107_subscription.$blog_default_hubspot_blog_5277286107_subscription"><input name="blog_default_hubspot_blog_5277286107_subscription" class="hs-input"
type="hidden" value="" data-reactid=".hbspt-forms-0.1:$1.1:$blog_default_hubspot_blog_5277286107_subscription.$blog_default_hubspot_blog_5277286107_subscription.0"></div>
</div>
</fieldset>
<fieldset class="form-columns-2" data-reactid=".hbspt-forms-0.1:$2">
<div class="hs_utm_campaign hs-utm_campaign hs-fieldtype-text field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-0.1:$2.1:$utm_campaign"><label id="label-utm_campaign-32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" class=""
placeholder="Enter your UTM_campaign" for="utm_campaign-32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" data-reactid=".hbspt-forms-0.1:$2.1:$utm_campaign.0"><span data-reactid=".hbspt-forms-0.1:$2.1:$utm_campaign.0.0">UTM_campaign</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$2.1:$utm_campaign.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$2.1:$utm_campaign.$utm_campaign"><input name="utm_campaign" class="hs-input" type="hidden" value="" data-reactid=".hbspt-forms-0.1:$2.1:$utm_campaign.$utm_campaign.0"></div>
</div>
<div class="hs_utm_content hs-utm_content hs-fieldtype-text field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-0.1:$2.1:$utm_content"><label id="label-utm_content-32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" class=""
placeholder="Enter your UTM_content" for="utm_content-32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" data-reactid=".hbspt-forms-0.1:$2.1:$utm_content.0"><span data-reactid=".hbspt-forms-0.1:$2.1:$utm_content.0.0">UTM_content</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$2.1:$utm_content.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$2.1:$utm_content.$utm_content"><input name="utm_content" class="hs-input" type="hidden" value="" data-reactid=".hbspt-forms-0.1:$2.1:$utm_content.$utm_content.0"></div>
</div>
</fieldset>
<fieldset class="form-columns-2" data-reactid=".hbspt-forms-0.1:$3">
<div class="hs_utm_medium hs-utm_medium hs-fieldtype-text field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-0.1:$3.1:$utm_medium"><label id="label-utm_medium-32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" class=""
placeholder="Enter your UTM_medium" for="utm_medium-32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" data-reactid=".hbspt-forms-0.1:$3.1:$utm_medium.0"><span data-reactid=".hbspt-forms-0.1:$3.1:$utm_medium.0.0">UTM_medium</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$3.1:$utm_medium.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$3.1:$utm_medium.$utm_medium"><input name="utm_medium" class="hs-input" type="hidden" value="" data-reactid=".hbspt-forms-0.1:$3.1:$utm_medium.$utm_medium.0"></div>
</div>
<div class="hs_utm_source hs-utm_source hs-fieldtype-text field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-0.1:$3.1:$utm_source"><label id="label-utm_source-32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" class=""
placeholder="Enter your UTM_source" for="utm_source-32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" data-reactid=".hbspt-forms-0.1:$3.1:$utm_source.0"><span data-reactid=".hbspt-forms-0.1:$3.1:$utm_source.0.0">UTM_source</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$3.1:$utm_source.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$3.1:$utm_source.$utm_source"><input name="utm_source" class="hs-input" type="hidden" value="" data-reactid=".hbspt-forms-0.1:$3.1:$utm_source.$utm_source.0"></div>
</div>
</fieldset><noscript data-reactid=".hbspt-forms-0.2"></noscript>
<div class="hs_submit hs-submit" data-reactid=".hbspt-forms-0.5">
<div class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.5.0"></div>
<div class="actions" data-reactid=".hbspt-forms-0.5.1"><input type="submit" value="Subscribe" class="hs-button primary large" data-reactid=".hbspt-forms-0.5.1.0"></div>
</div><noscript data-reactid=".hbspt-forms-0.6"></noscript><input name="hs_context" type="hidden"
value="{"rumScriptExecuteTime":821.5999999046326,"rumServiceResponseTime":1032.3999996185303,"rumFormRenderTime":2,"rumTotalRenderTime":1035.3999996185303,"rumTotalRequestTime":206.89999961853027,"embedAtTimestamp":"1654014314743","formDefinitionUpdatedAt":"1617984168081","pageUrl":"https://blog.minerva-labs.com/new-black-basta-ransomware-hijacks-windows-fax-service","pageTitle":"New Black Basta Ransomware Hijacks Windows Fax Service","source":"FormsNext-static-5.502","sourceName":"FormsNext","sourceVersion":"5.502","sourceVersionMajor":"5","sourceVersionMinor":"502","timestamp":1654014314746,"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36","originalEmbedContext":{"portalId":"1903456","formId":"32e6cc55-79e9-48c8-ab17-6c8df464e74e","formInstanceId":"1","pageId":"72428371346","region":"na1","pageName":"New Black Basta Ransomware Hijacks Windows Fax Service","contentType":"blog-post","formsBaseUrl":"/_hcms/forms/","inlineMessage":true,"target":"#hs_form_target_module_150411464020752_1","formData":{"cssClass":"hs-form stacked"}},"canonicalUrl":"https://blog.minerva-labs.com/new-black-basta-ransomware-hijacks-windows-fax-service","pageId":"72428371346","pageName":"New Black Basta Ransomware Hijacks Windows Fax Service","formInstanceId":"1","renderedFieldsIds":["email"],"formTarget":"#hs_form_target_module_150411464020752_1","correlationId":"bd55c54c-2d8f-46f3-b225-f1893829d5cf","contentType":"blog-post","hutk":"6353789d3d1d39582c1b1585794640e6","captchaStatus":"NOT_APPLICABLE","isHostedOnHubspot":true}"
data-reactid=".hbspt-forms-0.7"><iframe name="target_iframe_32e6cc55-79e9-48c8-ab17-6c8df464e74e_1" style="display:none;" data-reactid=".hbspt-forms-0.8"></iframe>
</form>Text Content
This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use and for the option to remove them, see our Privacy Policy. Accept * Home * Why Minerva * Products * Minerva for VDI * Ransomware Protection * BYOD/ Remote User Protection * Minerva’s Incident Response * Windows Defender Orchestration * Partners * Our Partners * Become a Partner * Find a Partner * OEM * Resources * Case Studies * Blog * Videos * White Papers * Research * Surveys * Analyst Reports * Company * About Us * Awards * News * Events * Careers REQUEST A DEMO CONTACT US * Home * Why Minerva * Products * Minerva for VDI * Ransomware Protection * BYOD/ Remote User Protection * Minerva’s Incident Response * Windows Defender Orchestration * Partners * Our Partners * Become a Partner * Find a Partner * OEM * Resources * Case Studies * Blog * Videos * White Papers * Research * Surveys * Analyst Reports * Company * About Us * Awards * News * Events * Careers MINERVA LABS BLOG News & Reports NEW BLACK BASTA RANSOMWARE HIJACKS WINDOWS FAX SERVICE May 02, 2022 | Natalie Zargarov * * Share * The Black Basta ransomware was first observed in mid-April 2022, but had already caused substantial damage to over ten organizations. This new ransomware became more public after leaking data of the American Dental Association, from which the Black Basta gang was able to exfiltrate 2.9 GB of data. Black Basta ransomware must be executed with Administrator privileges, otherwise this ransomware is harmless. This means that the threat actor needs to remain undetected inside the organization’s network for quite some time in order to gain privilege access or use stolen credentials (there are a number of darknet websites who offer a large amount of these for sale). Black Basta begins by checking if any parameters were passed. The only parameter that this ransomware accepts is “-forcepath”, which we assume that if passed, will encrypt files in the specific path only. However, in dynamic analysis selecting a specific path, no differences in encryption routine were observed. Next, the ransomware deletes shadow copies by executing “C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet” command. Black basta drops two files: dlaksjdoiwq.jpg and fkdjsadasd.ico in the user Temp folder. dlaksjdoiwq.jpg is a desktop wallpaper, pointing to read a ransom note, that is set by the ransomware using the SystemParametersInfoW API call: Figure 1 - Set Desktop Wallpaper Figure 2 - New Wallpaper Next, the ransomware assigns a second dropped file (fkdjsadasd.ico) as a custom icon to all files with “.basta” extension. The icon is assigned by creating and setting a new registry key “HKEY_CLASSES_ROOT\.basta\DefaultIcon” Figure 3 - Assigning custom icon Now come the interesting part - the persistence mechanism of the Black Basta ransomware is implemented by “stealing” an existing service name, deleting the service, and then creating a new service with the same(“stolen”) name. In our sample, the legitimate service whose name was stolen is “FAX”: Figure 4 - "New" Service Before the encryption routine begins, the ransomware checks the system boot configuration by using the GetSystemMetrics API call. It then adds “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Fax” to enable a FAX service to run in safe mode: Figure 5 - Safe Boot Configuration After all configurations are set, the ransomware reboots the pc in safe mode with networking by executing the ” bcdedit /set safeboot network” command: Figure 6 - Reboot in safe mode Due to the reboot mode change performed by the ransomware earlier, the PC will reboot in safe mode with the ‘Fax’ service running. This service will then execute the ransomware again, but this time for the purpose of encryption. As most ransomwares these days, Black Basta first enumerates volumes and puts a readme.txt file, a surprisingly short ransom note (maybe because the initial presentation is done in the desktop wallpaper) containing a data publication threat, TOR website address of the gang, and a company ID. This note is written to every folder as a part of the encryption routine. Figure 7 - Ransom Note The encryption process runs in several threads simultaneously to speed up the encryption, despite high CPU usage: Figure 8 - 92.83% CPU usage When the encryption is finished, the ransomware reboots the pc in normal mode. It would seems that every sample is created for a specific company, as a company id is hardcoded into the ransom note as well as a public key. Recent Victims of this ransomware include Deutsche Windtechnik and the American Dental Association. This article focuses only on the final stages of the Black Basta ransomware, that occurs only after the attacker has achieved initial access and has managed to perform substantial lateral movement within the network. Minerva’s Anti-Ransomware solution recognizes attempts to bypass security measures in order to remain undetected, and uses these very methods to prevent them from ever starting the attack. Resources: * https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/ IOC’s: * 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa – The Black Basta ransomware * A70F03BEB3A8246595EAB83935227914 - dlaksjdoiwq.jpg – desktop wallpaper * eb07a24f63d7f56fb13e34dd60e45a4c8522c32892c8be7dca7d3f742fa86b0a - fkdjsadasd.ico - .basta custom icon « Previous Post Next Post » INTERESTED IN MINERVA? REQUEST A DEMO BELOW UTM_medium UTM_content UTM_source UTM_campaign Record Type *Your data will be processed in our systems in accordance with our Privacy Policy. STAY INFORMED Notification Frequency UTM_campaign UTM_content UTM_medium UTM_source Sign up for the Minerva newsletter and stay on top of the latest cybersecurity news. FEATURED POSTS Minerva Armor blocks new Zero-Day Follina vulnerability by default What makes Ransomware so different from other malware and cyber threats? Lockbit 2.0 ransomware surges in 2022 2021 Was the Year Ransomware Protection Accelerated Enterprise Security Maturity TOPICS * Malware (56) * Ransomware (48) * malware prevention (32) * evasive malware (29) * Anti-malware (28) * Anti-Evasion Platform (26) * Anti-Evasion (24) * evasive (24) * Antivirus (23) * Advanced Malware (20) * AV (19) * Endpoint security (19) * Prevention (11) * Fileless attack (9) * Exploit kit (8) * Malware Vaccination (8) * featured (8) * fileless PowerShell payload (8) * fileless malware (8) * Sandbox (7) * windows defender av (6) * Phishing (5) * Ransomware prevention (5) * Windows OS (5) * Incident Response (4) * MSP (4) * Managed Service Provider (4) * PowerShell payload (4) * Remote User Protection (4) * WannaCry (4) * emotet (4) * Covid19 (3) * Cyberattack (3) * Cybersecurity (3) * EDR (3) * IR team (3) * Loader (3) * Memory Injection (3) * RAT (3) * Stealer (3) * WFH (3) * cryptojacking (3) * cryptomining (3) * maas (3) * Breach Prevention (2) * CCleaner (2) * Conti Ransomware (2) * Crypters (2) * DLL (2) * Fireless Attack (2) * Germany (2) * Multi-stage malware (2) * Petya/NotPetya (2) * Trojan (2) * WaterMiner (2) * egregor (2) * exploit (2) * keylogger (2) * malicious documents (2) * malspam (2) * mutex (2) * patches (2) * APT (1) * ATM (1) * AZORult (1) * Advanced Threat Analytics (1) * Adware (1) * Attack Group (1) * Backdoor (1) * Banking (1) * BazarBackdoor (1) * Binary Injection (1) * BuerLoader (1) * CVE-2017-11882 (1) * CVE201711882 (1) * Carbanak (1) * Conference (1) * Conti (1) * Cool Vendor (1) * CoronaVirus (1) * DDE (1) * DLP (1) * Dark Side (1) * DarkSide (1) * Evasive Java (1) * FlashHelperService (1) * Gartner (1) * GermanWiper (1) * Gootkit (1) * Government Threats (1) * IcedID (1) * Industry (1) * Invoke-Expression (1) * IronGate (1) * JavaScript (1) * ML (1) * Machine Learning (1) * Manufacturing Industry (1) * McAfee (1) * Meltdown (1) * Meltdown/Spectre (1) * Microsoft Meltdown (1) * Microsoft Office (1) * Multithreaded pipe (1) * Municipalities (1) * NGAV (1) * Next-Gen AV (1) * Nobelium (1) * OS patches (1) * Office365 (1) * Ohagi (1) * Ploutus (1) * Ploutus vaccine (1) * Public Sector (1) * PuffStealer (1) * PurpleFox (1) * Redline (1) * SamSam (1) * Sekhmet (1) * Socks5 (1) * Solarwinds (1) * Spectre (1) * Spora (1) * Strongpity (1) * Taurus (1) * U.S. Government (1) * WMI (1) * WannaMine (1) * Wiper (1) * application whitelisting (1) * atm jackpotting (1) * banking Trojan (1) * blockchain (1) * blustealer (1) * botnet (1) * browser isolation (1) * coffeeshot (1) * critical assets (1) * ePO ecosystem (1) * endpoint detection (1) * enterprise security (1) * evasion framework (1) * flickerstealer (1) * hancitor (1) * healthcare (1) * jackpot (1) * jackpotting (1) * kernel (1) * kernel components (1) * legacy OS (1) * living off the land (1) * lockbit (1) * macroprotection (1) * mimicry (1) * minerva armor (1) * mylobot (1) * raas (1) * ransomware as a service (1) * smb (1) * suncrypt (1) * torrent (1) * vaccinator (1) * virtual patching (1) * virus detection (1) * vulnerability (1) see all RELATED POSTS MINERVA ARMOR BLOCKS NEW ZERO-DAY FOLLINA VULNERABILITY BY DEFAULT Read More >> WHAT MAKES RANSOMWARE SO DIFFERENT FROM OTHER MALWARE AND CYBER THREATS? Read More >> COMPANY * About us * Awards * Careers * Partners PRODUCT * Integrations * Request a Demo USE CASES * Replace Application Whitelisting * Threat Containment During Incident Response * Put a Stop to Fileless Malware * Prevent Attacks Your AV Misses * Remote User Protection COLLATERAL * Resources * Blog * Press CONTACT US * Headquarters: 14 Imber Street Petah Tikva, Israel 49511 P.O.B 3795 * North America: 226 Prospect Park West #161, Brooklyn NY 11215 * Headquarters: +(972)-3-639-1057 North America: +1 (404) 806-2322 * Contact@Minerva-Labs.com Privacy Policy