Unit 42, Palo Alto Networks' malware analysis team, has released a report detailing the Black Basta ransomware group, which first appeared in April 2022 and has been on the rise ever since.
Since the emergence of ransomware, members of the group have been very active in distributing and extorting companies. The attackers run a cybercrime marketplace and blog where the group lists their victims' names, descriptions, publication percentage, number of visits, and any data exfiltrated.
Black Basta runs its own leak page
Although the members have only been active for a few months, according to the information published on their leak site, they have already compromised more than 75 companies and institutions. Other key findings from the Palo Alto Networks investigation include:
- · The RaaS uses double extortion as part of the attacks.
- Data from at least 20 victims was published on the leak site in the first two weeks of the ransomware's deployment.
- · The group has reportedly targeted several large companies in the consumer and industrial products, energy, resources and agriculture, manufacturing, utilities, transportation, government agencies, professional services and consulting, and real estate sectors.
Black Basta - a summary
Black Basta is ransomware as a service (RaaS) that first appeared in April 2022. However, there is evidence that it has been in development since February. Black Basta operators use a double extortion technique. Not only do they encrypt files on target systems and demand ransoms for decryption, they also maintain a leak site on the dark web where they threaten to release sensitive information if a victim doesn't pay the ransom. Black Basta's partners have been very active in spreading Black Basta and extorting businesses since the ransomware first appeared. Although they have only been active for a few months, according to the information published on their leak site, they have already infected over 75 companies and institutions at the time of this publication. Unit 42 has also worked on several Black Basta cases.
Black Basta encrypts only parts of files
The ransomware is written in C++ and affects both Windows and Linux operating systems. It encrypts users' data with a combination of ChaCha20 and RSA-4096. To speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, leaving 128 bytes of data unencrypted between the encrypted sections. The faster the ransomware encrypts, the more systems can potentially be compromised before defenses kick in. This is a crucial factor that partners look out for when joining a ransomware-as-a-service group.
QBot serves as an entry point
Palo Alto Networks' Unit 42 has observed that the Black Basta ransomware group is using QBot as its first entry point to move laterally on compromised networks. QBot, also known as Qakbot, is a Windows malware strain that started as a banking Trojan and evolved into a malware dropper. It has also been used by other ransomware groups, including MegaCortex, ProLock, DoppelPaymer, and Egregor. While these ransomware groups used QBot for initial access, the Black Basta group was observed using QBot for both initial access and side-network distribution.
More attacks will follow
Since the Black Basta attacks in 2022 were a global sensation and recurring, it is likely that the operators and/or their affiliated partners behind the service will continue to target and extort businesses. It's also possible that this isn't a new operation, but rather a reboot of a previous ransomware group that brought its partners with it. Due to numerous similarities in tactics, techniques, and procedures - such as victim-shaming blogs, recovery portals, negotiation tactics, and how quickly Black Basta rounded up its victims - the group could include current or former members of the Conti group. More information on this analysis, which follows other recent ransomware studies such as Blue Sky and Cuba, is available online at PaloAltoNetworks' Unit42.
More PaloAltoNetworks.com
About Palo Alto Networks Palo Alto Networks, the global leader in cybersecurity solutions, is shaping the cloud-based future with technologies that transform the way people and businesses work. Our mission is to be the preferred cybersecurity partner and protect our digital way of life. We help you address the world's biggest security challenges with continuous innovation leveraging the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are the leaders in protecting tens of thousands of businesses across clouds, networks and mobile devices. Our vision is a world where every day is safer than the one before.