Unlike other ransomware groups, Black Basta’s ransom notes do not include an initial ransom demand or payment instructions. Instead, they provide victims with a unique code and direct them to contact the group via a .onion URL
The Black Basta ransomware-as-a-service (RaaS) operation has attacked more than 500 private industry and critical infrastructure entities across North America, Europe, and Australia since its emergence in April 2022. This alarming development was detailed in a joint advisory by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
The advisory states that Black Basta has targeted at least 12 out of the 16 critical infrastructure sectors, using a double-extortion model where they both encrypt systems and steal data. The initial access is typically gained through common techniques such as phishing and exploiting known vulnerabilities.
Unlike other ransomware groups, Black Basta’s ransom notes do not include an initial ransom demand or payment instructions. Instead, they provide victims with a unique code and direct them to contact the group via a .onion URL.
Black Basta was first observed using QakBot as an initial attack vector and has been an active threat ever since. Statistics from Malwarebytes show that the group was linked to 28 of the 373 confirmed ransomware attacks in April 2024. Kaspersky identified it as the 12th most active ransomware family in 2023. The group’s activity surged by 41 per cent in Q1 2024 compared to the previous quarter.
There is evidence suggesting that Black Basta operators have connections to the cybercrime group FIN7, which has shifted to ransomware attacks since 2020. The attack chains typically involve tools such as SoftPerfect network scanner, BITSAdmin, Cobalt Strike beacons, ConnectWise ScreenConnect, and PsExec for lateral movement, Mimikatz for privilege escalation, and RClone for data exfiltration before encryption.
The group also exploits known vulnerabilities like ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare (CVE-2021-34527) to gain elevated privileges. In some cases, they use a tool called Backstab to disable endpoint detection and response (EDR) software, which has also been used by LockBit affiliates.
The final stage of their attack involves encrypting files using the ChaCha20 algorithm with an RSA-4096 public key and deleting volume shadow copies via the vssadmin.exe program to prevent system recovery.
“Healthcare organisations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions,” the advisory noted.
Meanwhile, the CACTUS ransomware campaign continues to exploit flaws in the Qlik Sense platform, affecting 3,143 servers as of April 17, 2024, with most of these located in the U.S., Italy, Brazil, the Netherlands, and Germany.
