New Black Basta ransomware springs into action with a dozen breaches
A new ransomware gang known as Black Basta has quickly catapulted into operation this month, breaching at least twelve companies in just a few weeks.
The first known Black Basta attacks occurred in the second week of April, as the operation quickly began attacking companies worldwide.
While ransom demands likely vary between victims, One victim who received over a $2 million demand from the Black Basta gang to decrypt files and not leak data.
Not much else is known about the new ransomware gang as they have not begun marketing their operation or recruiting affiliates on hacking forums.
However, due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.
Steals data before encrypting
Like other enterprise-targeting ransomware operations, Black Basta will steal corporate data and documents before encrypting a company’s devices.
This stolen data is then used in double-extortion attacks, where the threat actors demand a ransom to receive a decryptor and prevent the publishing of the victim’s stolen data.
The data extortion part of these attacks is conducted on the ‘Black Basta Blog’ or ‘Basta News’ Tor site, which contains a list of all victims who have not paid a ransom. Black Basta will slowly leak data for each victim to try and pressure them into paying a ransom.
When executed, the Black Basta encryptor needs to be run with administrative privileges, or it will not encrypt files. Once launched, the encryptor will delete Volume Shadow Copies
It will then hijack an existing Windows service and uses it to launch the ransomware encryptor executable. In our tests, the Windows Service that was hijacked was the ‘Fax’ service.
The ransomware will also change the wallpaper to display a message stating, “Your network is encrypted by the Black Basta group. Instructions in the file readme.txt.”
The ransomware will now reboot the computer into Safe Mode with Networking, where the hijacked Windows service will start and automatically begin to encrypt the files on the device.
While encrypting files, the ransomware will append the .basta extension to the encrypted file’s name. So, for example, test.jpg would be encrypted and renamed to test.jpg.basta.
The Tor negotiation site is titled ‘Chat Black Basta’ and only includes a login screen and a web chat that can be used to negotiation with the threat actors.
The threat actors use this screen to issue a welcome message that contains a ransom demand, a threat that data will be leaked if payment is not made in seven days, and the promise of a security report after a ransom is paid.
Unfortunately, Gillespie says that the encryption algorithm is secure and that there is no way to recover files for free.