Friend
Professional
- Messages
- 2,653
- Reaction score
- 860
- Points
- 113
Why threats are becoming global and large-scale.
Qualys has published a report with the Indicators of Compromise (IOC) of the Black Basta Ransomware. The Black Basta ransomware group was first spotted in April 2022. It uses a ransomware-as-a-service (RaaS) model and is known for its double-extortion tactics, where the victim must pay not only to recover the data, but also to proliferate it. In its early stages, Black Basta showed similarities to the methods of another well-known group, Conti.
Black Basta has impacted many industries, including critical infrastructures in North America, Europe, and Australia. To date, more than 500 organizations around the world have been affected by attacks. Attackers gain initial access using standard methods such as phishing, Qakbot, Cobalt Strike, and exploitation of known vulnerabilities. Upon entering the network, attackers move around it, examining important systems and data before activating the ransomware. In a number of indications, Black Basta is associated with the FIN7 group, which is confirmed by the use of similar tools to bypass threat detection systems.
Black Basta actively uses various tools, such as Mimikatz, Cobalt Strike, PowerShell, and other legitimate programs, to carry out its attacks. They also exploit vulnerabilities, including ZeroLogon (CVE-2020-1472), PrintNightmare (CVE-2021-34527), and NoPac (CVE-2021-42287), which allows them to gain administrator privileges and roam within the network.
Black Basta attacks usually start with phishing emails containing malicious files or links. One of the commonly used tools is Qakbot, which, once infected, establishes a connection to a Command-and-Control (C2) server to download additional malware such as SystemBC or Cobalt Strike, as well as legitimate remote control tools. Attackers use tools such as RClone and WinSCP to steal data, after which the Black Basta ransomware is deployed on the victim's devices.
A feature of the Black Basta attacks is the use of the ChaCha20 encryption algorithm, the key of which is additionally encrypted using RSA-4096, which makes it difficult to recover data without the participation of attackers. Once the data is encrypted, the victim's computer changes the desktop background, adds ransom instructions, and «readme.txt or «instructions_read_me.txt" files with details on how access to the data can be regained.
Black Basta actively uses double extortion: first stealing data and then encrypting it, threatening to publish confidential information if they refuse to pay the ransom.
Source
Qualys has published a report with the Indicators of Compromise (IOC) of the Black Basta Ransomware. The Black Basta ransomware group was first spotted in April 2022. It uses a ransomware-as-a-service (RaaS) model and is known for its double-extortion tactics, where the victim must pay not only to recover the data, but also to proliferate it. In its early stages, Black Basta showed similarities to the methods of another well-known group, Conti.
Black Basta has impacted many industries, including critical infrastructures in North America, Europe, and Australia. To date, more than 500 organizations around the world have been affected by attacks. Attackers gain initial access using standard methods such as phishing, Qakbot, Cobalt Strike, and exploitation of known vulnerabilities. Upon entering the network, attackers move around it, examining important systems and data before activating the ransomware. In a number of indications, Black Basta is associated with the FIN7 group, which is confirmed by the use of similar tools to bypass threat detection systems.
Black Basta actively uses various tools, such as Mimikatz, Cobalt Strike, PowerShell, and other legitimate programs, to carry out its attacks. They also exploit vulnerabilities, including ZeroLogon (CVE-2020-1472), PrintNightmare (CVE-2021-34527), and NoPac (CVE-2021-42287), which allows them to gain administrator privileges and roam within the network.
Black Basta attacks usually start with phishing emails containing malicious files or links. One of the commonly used tools is Qakbot, which, once infected, establishes a connection to a Command-and-Control (C2) server to download additional malware such as SystemBC or Cobalt Strike, as well as legitimate remote control tools. Attackers use tools such as RClone and WinSCP to steal data, after which the Black Basta ransomware is deployed on the victim's devices.
A feature of the Black Basta attacks is the use of the ChaCha20 encryption algorithm, the key of which is additionally encrypted using RSA-4096, which makes it difficult to recover data without the participation of attackers. Once the data is encrypted, the victim's computer changes the desktop background, adds ransom instructions, and «readme.txt or «instructions_read_me.txt" files with details on how access to the data can be regained.
Black Basta actively uses double extortion: first stealing data and then encrypting it, threatening to publish confidential information if they refuse to pay the ransom.
Source
