Black Basta is a new ransomware first detected in the middle of April 2022. According to Minerva researchers, the ransomware “has already caused substantial damage to over ten organizations.” Two of its recent victims include Deutsche Windtechnik and the American Dental Association. Some believe that the ransomware is associated with the Conti cybercrime group.
Black Basta Technical Resume
The very first thing to mention is that the ransomware should be executed with administrative privileges, or it will be harmless. This requires remaining undetected within the target’s network so that the needed admin privileges are obtained. Another option is using stolen login credentials, often available on dark web forums.
The ransomware is also capable of gaining persistence by stealing an existing service name, then deleting the service and creating a new service with the same stolen name. In the case the researchers examined, the service was dubbed Fax. Prior to initiating the encryption mechanism, Black Basta checks the system boot configuration by using the GetSystemMetrics API call, and then adds “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Fax” to enable a FAX service to run in safe mode.
Once all configurations are done, it reboots the computer in Safe mode with networking by using a specific command (bcdedit /set safeboot network).
“Due to the reboot mode change performed by the ransomware earlier, the PC will reboot in safe mode with the ‘Fax’ service running. This service will then execute the ransomware again, but this time for the purpose of encryption,” Minerva’s report noted.
Black Basta also enumerates volumes and drops a readme.txt file with “a surprisingly short ransom note containing a data publication threat, TOR website address of the gang, and a company ID.” This note is written to every folder as a part of the encryption procedure. To speed up the encryption process, it runs in several threads simultaneously.
Once the encryption is finalized, the ransomware is set to reboot the computer in normal mode. It seems that each sample of Black Basta is created for a specific company, Minerva said, because a company ID is hardcoded into the ransom note in addition to a public key.