Chris Swagler | May 2nd, 2022

New ransomware, Black Basta, has sprung into operation breaching twelve companies across the globe since first appearing in the second week of April. There’s minimal publicized information about the new ransomware group because they haven’t begun marketing their operation or recruiting affiliates on hacking forums. Because of their ability to quickly breach new victims and their negotiation style, the ransomware group is likely not a new operation, but a previous top-tier ransomware group that rebranded and brought along its affiliates.

Black Basta, like other enterprise-targeting ransomware operations, steals companies’ data and documents before encrypting their devices. The stolen data is used in double-extortion attacks, in which threat actors demand ransom for a decryptor and to prevent the victims’ stolen data from being published. On the “Black Basta Blog” or “Basta News” Tor site, the group conducts the data extortion part of the attacks. Black Basta will slowly leak each victim’s data attempting to pressure them to pay a ransom. Currently, the Black Basta data leak website has data leak pages containing ten companies they’ve already breached, including 100GB of data allegedly stolen from Deutsche Windtechnik. According to BleepingComputer, there is additional information on other victims currently not listed on the dark leak website.

A brief analysis performed by SpearTip’s engineers of the online samples from Black Basta ransomware indicated that when the ransomware is executed, the encryptor needs to be run with administrative privileges or the files won’t be encrypted. Once the encryptor is launched, it will delete Volume Shadow Copies using the following command: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet. An Existing Windows service is then hijacked and used to launch the ransomware encryptor executable.

The ransomware changes the wallpaper displaying a message saying, “Your network is encrypted by the Black Basta group. Instruction in the file readme.txt.” The ransomware reboots the computers into Safe Mode with Networking, where the hijacked Windows service will start and automatically encrypt the files on the devices. A ransomware expert analyzed Black Basta’s encryption process and explained that it utilizes the ChaCha20 algorithm to encrypt files. The ChaCha20 encryption key is encrypted with a public RSA-4096 key included in the executable.

The ransomware will append the “.basta” extension to the encrypted file’s name while encrypting files. It then creates a custom extension in the Windows Registry to display the custom icon associated with the “.basta” extension and associate the icon with a randomly named ICO file in the %Temp%folder. The ransomware will create a readme.txt file in each folder on the encrypted device containing information about the attack and a link and unique ID required to log in to their negotiation chat session. “Chat Black Basta” is the Tor negotiation site, which includes a login screen and a webchat for negotiation with the threat actors. Threat actors will use a screen with a welcome message containing a ransom demand, a threat to leak the data if the ransom is not paid in seven days, and the promise of a security report after a ransom is paid. The encryption algorithm is secure and there’s no way to recover files for free.

The Black Basta ransomware group is likely a rebrand of an experience operation based on how quickly the group amasses victims and the negotiation style. SpearTip engineers who observed the note theorize that Black Basta is a rebrand of the Conti ransomware operation based on several similarities. Over the past two months, Conti has been under serious scrutiny after a Ukrainian researcher leaked private conversations and the ransomware group’s source code. Because of the leak, Conti is likely to rebrand its operation to evade law enforcement.

Even though the Black Basta encryptor is different from Conti’s, there are numerous similarities in their negotiation style and website design. Additionally, after the negotiation screenshot was leaked, Black Basta released the data on a brand-new victim. The punishment is like what Conti introduced to turn the tide of negotiations being leaked on Twitter. Researchers are basing their assumptions on similar leak sites, the payments sites, and the way their “support” employees talk and behave.

Even though the connections are currently speculative, the Black Basta ransomware group needs to be monitored closely because they’ve only just begun their operations. With relatively new ransomware groups emerging as potential rebrands of previous ransomware operations, it’s always important for companies to be constantly vigilant on the current threat landscape and regularly update their data networks and devices.

At SpearTip, our Security Operations Center is staffed 24/7/365 with certified engineers that bring decades of combined experience, working in a continuous investigative cycle, ready to respond to incidents at a moment’s notice. Our engineers will join the companies’ teams on-scene to investigate the nature of the breach, conduct thorough data analysis, and execute the recovery plan to help return their business to its normal operations. The ShadowSpear Platform delivers a cloud-based solution collecting endpoint logs and detecting sophisticated unknown and advanced threats with comprehensive insights.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.