AdvisoryAdvisoriesCISAAA24-131A

May 10, 2024

#StopRansomware: Black Basta

May 10, 2024

What we know so far

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint advisory on Black Basta, a ransomware variant known for encrypting and stealing data from critical infrastructure sectors, including Healthcare and Public Health. Identified in April 2022, Black Basta operates as a ransomware-as-a-service (RaaS) and has impacted over 500 organizations globally by May 2024.

Black Basta affiliates typically gain initial access through spearphishing and exploiting known vulnerabilities, such as ConnectWise CVE-2024-1709. They use tools like BITSAdmin and PsExec for lateral movement, leveraging Remote Desktop Protocol (RDP) and other remote access tools. For privilege escalation, they employ credential scraping tools like Mimikatz and exploit vulnerabilities such as ZeroLogon and PrintNightmare. To disable defenses, they use PowerShell and a tool called Backstab. Data exfiltration is facilitated by RClone, and encryption is achieved using a custom ChaCha20 algorithm, followed by deleting volume shadow copies to inhibit system recovery. The affiliates then demand ransom payments through a .onion URL, threatening to publish stolen data on the Black Basta TOR site if demands are not met.

Arrow Right

Schedule a test

Our insights

Protect your endpoints

Subscribe to alerts

Insights by Prelude

Black Basta's approach to initial access involves spearphishing or exploiting public-facing applications, leveraging the widespread vulnerability of users to phishing emails and unpatched systems. Once inside the network, affiliates use BITSAdmin and PsExec for lateral movement, tools that are often overlooked due to their legitimate administrative uses. This underscores the importance of monitoring for unusual activity involving these tools, even if they are commonly used in IT environments.

Privilege escalation techniques involve sophisticated exploits such as ZeroLogon and PrintNightmare, which target critical vulnerabilities in Windows Active Directory domains. These exploits allow attackers to elevate privileges and move laterally within the network, highlighting the need for timely patch management and vulnerability assessment practices to mitigate such risks.

Disabling defenses is a critical step for Black Basta affiliates, who use PowerShell and the custom Backstab tool to disable antivirus and endpoint detection and response (EDR) systems. This phase emphasizes the necessity for robust security configurations and continuous monitoring of PowerShell and other scripting activities.

The final stages of their attack involve encrypting files with a custom ChaCha20 algorithm and deleting volume shadow copies using vssadmin.exe to prevent recovery. Organizations must prioritize regular backups, ensure they are kept offline, and frequently test restoration processes to mitigate the impact of such ransomware attacks.

See if you are protected against this advisory

Arrow Right

Schedule a test with Prelude

Subscribe to advisory alerts

Be immediately notified of new advisories and associated security tests

More advisories

AdvisoryAdvisoryCISAAA24-207A

July 25, 2024

North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs

AdvisoryAdvisoryCISAAA24-193A

July 11, 2024

CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth

AdvisoryAdvisoryCISAAA24-190A

July 9, 2024

People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action

See all advisories

Arrow Right
Solutions
For Detection & Response TeamsFor CISOs
Platform
DetectCrowdStrike
Company
AboutCareersBlogAdvisoriesResourcesCommunityPress
Book a Demo

©2024 Prelude Research, Inc. All rights reserved.
Prelude, its logo and other trademarks are trademarks of Prelude Research, Inc. and may not be used without permission.

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyAccept

Cookies

Happening Soon: CTI to Assurance: Automating Proactive Threat Management With Prelude Detect
Save Your Seat
Arrow Right