Ransomware attacks are rapidly becoming a dominant cyber hiccup that internet users cannot escape and will only continue to grow as these schemes are exceptionally profitable for cybercriminals in matters of money. On the contrary, past year cybersecurity statistics revealed an alarming state of businesses and individuals who suffered close to $75 billion in losses. These vulnerabilities are only estimated to expand to $6 trillion per year in 2021.
The new piece of software known as Black Basta is a malware that collects sensitive information, encrypts it prior to exfiltration, and then threatens victims by threatening to reveal the encrypted stolen information to the public.
Black Basta’s ascent in the ransomware world proceeded quickly; by the end of April, it had gone from being a little-known player at the beginning of February to being the most infamous ransomware group. On underground discussion boards renowned for hosting dubious content, user Black Basta said in April 2022 that it intended to purchase and monetize corporate network access credentials in exchange for a cut of the earnings.
Due to the fact that they use data extraction (exfiltration) before launching their other destructive attacks, they are viewed as a greater threat than certain other groups.
Since its creation earlier this year, the Black Basta ransomware organization has already impacted 50 firms. From other businesses, they have wanted up to $2 million. The majority of victims are located in the US, however these businesses also have their roots in Australia, Canada, New Zealand, and other nations. These figures show that even though this organization has only been functioning for a little over a year, it has already had an effect on businesses.
How Black Basta Operates
Black Basta uses two parallel attacks as part of a double extortion campaign. Prior to encrypting the contents of the cyber-locker, it first grabs private data and deposits it there. This enables these criminals to threaten victims with the disclosure of their sensitive information to the public without really doing so or following through on their promise.
Step 1: The ransomware known as Black Basta requires administrative rights to operate. The Windows Management Instrumentation is a modular information thief that the Black Basta ransomware assault uses to spread laterally through an organization, conduct reconnaissance, access data, and execute the payload. QB has the ability to perform the role of a reconnaissance robot, gathering information about the area. It can then get access to the environment and return with information and credentials. From there, it has lateral access to different locations, allowing it to collect additional data and infect more systems.
Step 2: The Black Basta ransomware targets the network’s Domain Controller after receiving harvesting credentials and in-depth information of network architecture from QaBot. It makes use of PsExec to run arbitrary instructions over a command-line interface on machines throughout the network. Computer modifications can be made using Group Policy Objects (GPOs), which are then applied to non-administrator accounts. This served as inspiration for the Black Basta ransomware, which on hijacked domain controllers produces a GPO to disable Windows Defender and other anti-virus tools while simultaneously attempting to counter similar QBot-Egregor attacks.
Step 3: Following the Black Basta ransomware’s successful circumvention of a security measure that might have otherwise assisted users in protecting their files, the group then launches a ransom loader using an encoded PowerShell command that makes use of built-in Windows Network capabilities to connect to the targeted IP addresses. Black Basta Ransomware divides files into 64-byte blocks that it then encrypts before sprinkling them with 128-byte portions of plain-text material in order to speed up and improve the efficiency of its encryption operation.
In its final step, it replaced the background image on a victim’s system to include the message:
“Your network is encrypted by Black Basta group. Instructions in file readme.txt”
Every folder on your computer is created by Black Basta with encrypted files that have names based on the ID of your attack. There will be a readme file and a link to your chat room inside each file, where you can haggle for the return of your data.
Potential Safeguards against the threat
- Ensure that all software is updated regularly : Exploiting system flaws and software vulnerabilities is one of the most popular methods thieves break into a computer. A Windows Printing Spooler Exploit was found to be in use by nefarious Ransomware groups in May 2022.
It’s critical to keep up with any security issues brought on by updates. Because the most recent version has already been deployed to take such risks into account, there is less of a possibility that thieves will be able to exploit vulnerabilities in your programs in this manner.
- Create data backups for all of your files : When storing data on distant computers, you should back up your information and enable encryption with a strong password. Once the infected computer has been properly cleaned up, you can restore your data if it has been encrypted by ransomware on new devices or the original one.
- Implement the Zero Trust policy: The Zero Trust strategy is an excellent way to maintain security when technology develops quickly. Establishing trust policies that check each new device, partner, or person that requests access to your network or data would be beneficial.
- Evaluate the security of your network using a managed firewall : As it directly pertains to vulnerabilities, one must have thorough security against attack vectors and have them patched right away. Using a WAF is one efficient method of accomplishing this.
- To safeguard critical data and accounts, use strong and distinctive passwords : Use strong passwords and put strong password policies into place to make sure that all credentials are kept in one-way salt hashes so that they can never be cracked.
Cyber attackers will never stop trying to breach defenses, therefore plug any security vulnerabilities you find because if you leave anything unsecured, the attackers will get in. They could take advantage of the flaws and cause mayhem in your business without mercy.
Author: Mr. Shrey Madaan, Research Associate, CyberPeace Foundation