Black Basta Ransomware Analysis

Black Basta Ransomware Analysis

๐Ÿ“…๏ธ Published:

๐Ÿ”„ Updated:

๐Ÿ•” 2 min read โˆ™ 274 words

Introduction

Black Basta ransomware hit American Dental Association on the weekend of the week of 4/17, 2022. The ransomware group responsible for this act also stole sensitive data from W2 forms, NDAs, and accounting spreadsheets. This report will go over Black Bastaโ€™s capabilities and IOCs to prevent future attacks.

Installation

Basta installs itself by hijacking the Fax service entry.

image

image

Upon installation, Basta will restart the computer. The installation allows the newly created service to run on startup, where it then begins the process of encrypting files.

Commands Issued

  • vssadmin.exe delete shadows /all /quiet
  • bcedit.exe /deletevalue safeboot
  • bcedit.exe /set safeboot network
  • C:\Windows\SysNative\bcdedit.exe /set safeboot network
  • C:\Windows\System32\bcdedit.exe /set safeboot network
  • C:\Windows\System32\ vssadmin.exe /deletevalue safeboot
  • C:\Windows\System32\ vssadmin.exe /deletevalue safeboot
  • cmd.exe /C shutdown โ€“r โ€“f โ€“t 0

Basta is executed with admin privileges based on the commands issued. Deleting shadow copies is a standard method used by ransomware to prevent backups. If offline backups are not implemented, this attack will leave the victim at the expense of the attacker.

Based on the analysis, there is no indication that this sample can elevate its privileges. Therefore, it can be concluded that the attacker already had higher-level privileges upon execution.

The recommended course of action is that offsite backups are created if an attacker does gain admin-level privileges on the victim machine.

IOCs

  • MD5: 3f400f30415941348af21d515a2fc6a3
  • SHA-1: bd0bf9c987288ca434221d7d81c54a47e913600a
  • SHA-256: 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa

Ransomware File Extension

  • .basta

Ransomware Background Image

image

Further Reading

Conclusion

For now, more analysis is needed to find more of its capabilities. From analysis, a command line argument โ€œโ€“forcepathโ€ was found but it was not determined the intended behavior of this argument

  • Updated on April 28th - Updated Registry Information

Edit on Github.

You should also read:

๐Ÿ’ฌ Comment: