Black Basta Ransomware is a new ransomware which, in a few weeks, already reaped important victims.
Swascan SOC Team intercepted and analyzed this ransomware threat, verifying that it contains encrypted and obfuscated payloads to make more difficult to understand the behavior of the threat during the encryption and infection phases, as we can see from the following image:
By examining the entropy of the ransomware executable, we can see that “.text” and “.reloc” sections are compressed with a packer (the original code is replaced with a loader and with a modified version of the original code: when the loader is called, this will decode the packed code by regenerating the original code, which will cease the control to):
The .data section of the PE contains the text of the document ReadMe.txt, which contains the ransom note of the threat (this file will be present in each directory of the infected computer).
To generate the filename of the icon to associate to the encrypted files and for the filename of the .jpg file to set as wallpaper on the desktop of the victim hardcoded filenames in the code are used:
The ransomware, during its execution, tries to identify the environment in which it has been executed, to understand if it is a virtual machine (evidence caught also in a dynamic analysis and debugging session) or if it uses sleeping and threat waiting behaviors (typical of the sandboxes) to “deceive” possible debuggers:
The main logic of the encryption system of the threat expects the adding of the extension .basta to the encrypted files, which includes also the .lnk files to make impossible to launch the applications with link files, making the infected machine nearly unusable.
During the infection phase the shadow copies, if present, are deleted to make more difficult to recover encrypted files:
In an analyzed case, Black Basta ransomware attempted to disguise as licit application by signing the executable with a certificate. This operation can be efficient for two reasons:
- Evade different security solutions, like antiviruses and EDRs
- Deceive more efficiently and easily the users (the file is “signed” from an existing software house: the warning “signature not valid” can be easily overlooked).
In the readme.txt file created by the threat a specific login id is specified which can be used to access the Threat Actor Chat (hosted on TOR) in order to deal with the payment of the ransom.
By taking as an example some text documents encrypted by Black Basta Ransomware, it is possible to have the evidence that not all of the content of the files is encrypted: the encryption is related only to some piece of the content “intermittently”.
This detail, which can be considered almost irrelevant at a first sight, it is actually fundamental to understand better the typology of the attack used by those criminal hackers: encrypt only some pieces of content, this makes the encryption operation fast but destructive in terms of integrity and availability of the data in the compromised infrastructure (this behavior is similar to what it has been already seen for LockBit 2.0 and DarkSide Ransomware threats). Integrity and availability are actually not the only concepts that fail in a Black Basta Ransomware infection: in addition to encrypt the files of the attacked infrastructure, it also exfiltrates the data and publish them online if the payment of the ransom is not done:
By analyzing Black Basta Ransomware source code there also references to administrative control of the system and to the access of the domain credentials information: before encrypting the files, Black Basta performs also infrastructure and domain discovery.
By examining some extracted strings from more than one sample it is possible to note that there are some references, present also in Remote Procedure Calls executions, which are related to African continent (specifically, to Hausa southafrican dialect, but also the string “Talata”, which means “Tuesday”). It is likely that the ransomware gang has South Africa origins.
It is important to highlight that, in some cases, possible language or nationality references contained in the threats can be intentionally be specified by threat actors to divert the attention from the real nationality of the attack origin.
To strengthen the thesis of fast and efficient encryption phase there is also the evidence of the use of services (set in autostart with the system by using also the Fax service, identifiable from the extracted strings of the ransomware), which are managed and controlled with debugging writing operations:
Here are further evidences of the use of the services in the encryption phase:
Here we have further details about the services debugging:
It seems that the Basta ransomware exploits the execution of specific Windows services (Surely, nowadays, the FAX service) to lead the encryption operations of the infected machine.
In the infection phase, in addition, similarly to what REvil Ransomware does, it performs a modification of the Windows boot mode making the operating system booting in Safe Mode (with Networking). This attack technique can be used to encrypt victim files more efficiently and performs evasion of the security solutions (antiviruses, antimalware, EDR, etc.):
It’s possible to have the evidence, in addition, of references to remote system registries and remote desktops, this demonstrates how the objectives of the threat are associated to a real compromise of an entire infrastructure, so not only about encryption and exfiltration of the data.
Black Basta doesn’t seem to entrust the infection chain only to a payload but, as already said, to more than one payload staging; in particular there is the evidence in one of the analyzed samples of the executable called candies.exe, which could be executed to perform some malicious tasks:
Here below there are some references to the desktop wallpaper settings which contains the ransom notes:
The analysis of the Basta Ransomware permitted to highlight some peculiarities of this malware:
- Partial encryption of the files content
- Likely African threat actors origin
- Exploiting of the FAX Windows service to control the encryption phase
- Disguise of the ransomware executable, signed with a real certificate of a software house
Cyber Security Framework
The best approach to increasing perimeter resilience goes through the three pillars of modern Cyber Security. Therefore, the three canons of:
- Predictive Security,
- Preventive Security,
- Proactive Security.
How to defend:
Predictive Security
- Identifies business threats outside the corporate perimeter operating at the Web, Darkweb and Deep Web levels.
- Researches any emerging threats.
- Performs Early Warning activities.
- Provides evidence to Preventive Security.
- Indicates areas of focus to Proactive Security.
Preventive Security
- Audits and measures Cyber Risk.
- Defines remediation plans.
- Indicates the Risk exposed to the Proactive Security Layer.
- Provides areas of Investigation to the Predictive Security.
Proactive Security
- Identify cyber threats operating within the corporate perimeter.
- Counteracts and blocks cyber attacks.
- Manages Cyber Incidents.
- Provides evidence to Preventive Security.
- Indicates areas of investigation to Predictive Security