What is Black Basta?
Black Basta is a ransomware gang that has just lately come into existence and the first reports of attacks were made public in April of this year. Black Basta employs dual extortion operations, which are common among other ransomware groups, in which data is first removed from the network before the malware is introduced. Then it makes a threat to publish the information on the Tor sites “Black Basta Blog” or “Basta News.”
Black Basta utilizes two Tor sites, one of which exposes stolen data and the other of which allows victims to get in touch with the ransomware authors. The ransom letter that the ransomware program drops includes a link to the latter website.
Given that Black Basta is a RaaS business, it’s probable that other affiliates were also involved in these recent attacks, which would account for the usage of various tactics, techniques, and procedures (TTPs). Public reports have also described the use of Black Basta in conjunction with the Qakbot malware.
The targets of this ransomware are mainly organizations involved in finance, information technology, and manufacturing. It uses tools like BlackBasta, SystemBC, RClone, PowerShell, Vssadmin, and WMI to invade the systems.
Once the groundwork has been completed, the attackers use a PowerShell command and the Windows Management Instrumentation (WMI) interface to spread the Black Basta ransomware across all detected endpoint systems.
The Black Basta application, when run on a system, first removes any Volume Shadow copies before beginning to encrypt all files with the exception of those with specific extensions and those placed in specific directories that are listed in a black list.
This gang has so far demonstrated a significant level of knowledge and contacts in the underground cybercrime community. It prefers to attack businesses in established economies, practices double extortion and demands millions in ransom. As a result, it has been able to compromise a large number of businesses in a short period of time.