SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackbasta (Back to overview)

Black Basta

aka: no_name_software

"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.

References
2023-06-27SecurityIntelligenceCharlotte Hammond, Ole Villadsen
@online{hammond:20230627:trickbotconti:5e1f20d, author = {Charlotte Hammond and Ole Villadsen}, title = {{The Trickbot/Conti Crypters: Where Are They Now?}}, date = {2023-06-27}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/}, language = {English}, urldate = {2023-07-31} } The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot
2023-04-19Bleeping ComputerBill Toulas
@online{toulas:20230419:march:2c99c12, author = {Bill Toulas}, title = {{March 2023 broke ransomware attack records with 459 incidents}}, date = {2023-04-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/}, language = {English}, urldate = {2023-04-28} } March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom
2023-04-18MandiantMandiant
@online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-03-30United States District Court (Eastern District of New York)Microsoft, Fortra, HEALTH-ISAC
@techreport{microsoft:20230330:cracked:08c67c0, author = {Microsoft and Fortra and HEALTH-ISAC}, title = {{Cracked Cobalt Strike (1:23-cv-02447)}}, date = {2023-03-30}, institution = {United States District Court (Eastern District of New York)}, url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf}, language = {English}, urldate = {2023-04-28} } Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-03-15ReliaquestRELIAQUEST THREAT RESEARCH TEAM
@online{team:20230315:qbot:cf3b85f, author = {RELIAQUEST THREAT RESEARCH TEAM}, title = {{QBot: Laying the Foundations for Black Basta Ransomware Activity}}, date = {2023-03-15}, organization = {Reliaquest}, url = {https://www.reliaquest.com/blog/qbot-black-basta-ransomware/}, language = {English}, urldate = {2023-04-18} } QBot: Laying the Foundations for Black Basta Ransomware Activity
Black Basta QakBot
2023-01-25Quadrant Information SecurityQuadrant Information Security
@online{security:20230125:technical:eb69781, author = {Quadrant Information Security}, title = {{Technical Analysis: Black Basta Malware Overview}}, date = {2023-01-25}, organization = {Quadrant Information Security}, url = {https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview}, language = {English}, urldate = {2023-02-21} } Technical Analysis: Black Basta Malware Overview
Black Basta Black Basta
2023-01-23KrollStephen Green, Elio Biasiotto
@online{green:20230123:black:dd89d21, author = {Stephen Green and Elio Biasiotto}, title = {{Black Basta – Technical Analysis}}, date = {2023-01-23}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis}, language = {English}, urldate = {2023-04-22} } Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC
2022-12-01ZscalerZscaler
@online{zscaler:20221201:back:43320e6, author = {Zscaler}, title = {{Back in Black... Basta - Technical Analysis of BlackBasta Ransomware 2.0}}, date = {2022-12-01}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/back-black-basta}, language = {English}, urldate = {2022-12-02} } Back in Black... Basta - Technical Analysis of BlackBasta Ransomware 2.0
Black Basta
2022-11-23CybereasonCybereason Global SOC Team
@online{team:20221123:threat:17093cc, author = {Cybereason Global SOC Team}, title = {{THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies}}, date = {2022-11-23}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies}, language = {English}, urldate = {2022-11-25} } THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
Black Basta QakBot
2022-11-03SentinelOneSentinelLabs
@online{sentinellabs:20221103:black:0be02f3, author = {SentinelLabs}, title = {{Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor}}, date = {2022-11-03}, organization = {SentinelOne}, url = {https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta}, language = {English}, urldate = {2022-11-03} } Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor
Black Basta QakBot SocksBot
2022-11-03Sentinel LABSAntonio Cocomazzi
@online{cocomazzi:20221103:black:b0c2f05, author = {Antonio Cocomazzi}, title = {{Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor}}, date = {2022-11-03}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/}, language = {English}, urldate = {2022-11-15} } Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
Black Basta
2022-10-12Trend MicroIan Kenefick, Lucas Silva, Nicole Hernandez
@online{kenefick:20221012:black:17505c9, author = {Ian Kenefick and Lucas Silva and Nicole Hernandez}, title = {{Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike}}, date = {2022-10-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html}, language = {English}, urldate = {2023-05-23} } Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Black Basta Brute Ratel C4 Cobalt Strike QakBot
2022-09-08Sentinel LABSAleksandar Milenkoski, Jim Walter
@online{milenkoski:20220908:crimeware:9c7be9a, author = {Aleksandar Milenkoski and Jim Walter}, title = {{Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection}}, date = {2022-09-08}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/}, language = {English}, urldate = {2022-09-10} } Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
AgendaCrypt Black Basta BlackCat PLAY
2022-09-01Trend MicroTrend Micro
@online{micro:20220901:ransomware:8eda6e4, author = {Trend Micro}, title = {{Ransomware Spotlight Black Basta}}, date = {2022-09-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta}, language = {English}, urldate = {2022-09-19} } Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot
2022-08-25Palo Alto Networks Unit 42Amer Elsad
@online{elsad:20220825:threat:b1026e7, author = {Amer Elsad}, title = {{Threat Assessment: Black Basta Ransomware}}, date = {2022-08-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware}, language = {English}, urldate = {2022-08-30} } Threat Assessment: Black Basta Ransomware
Black Basta
2022-08-25Palo Alto Networks Unit 42Amer Elsad
@online{elsad:20220825:threat:b3514ed, author = {Amer Elsad}, title = {{Threat Assessment: Black Basta Ransomware}}, date = {2022-08-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/}, language = {English}, urldate = {2022-10-05} } Threat Assessment: Black Basta Ransomware
Black Basta QakBot
2022-08-22MicrosoftMicrosoft
@online{microsoft:20220822:extortion:67c26d4, author = {Microsoft}, title = {{Extortion Economics - Ransomware’s new business model}}, date = {2022-08-22}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v}, language = {English}, urldate = {2022-08-31} } Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-15SecurityScorecardVlad Pasca
@online{pasca:20220815:deep:5f7d67c, author = {Vlad Pasca}, title = {{A Deep Dive Into Black Basta Ransomware}}, date = {2022-08-15}, organization = {SecurityScorecard}, url = {https://securityscorecard.pathfactory.com/all/a-deep-dive-into-bla}, language = {English}, urldate = {2022-08-17} } A Deep Dive Into Black Basta Ransomware
Black Basta
2022-08-15SecurityScorecardVlad Pasca
@online{pasca:20220815:deep:f0ad4f2, author = {Vlad Pasca}, title = {{A Deep Dive Into Black Basta Ransomware}}, date = {2022-08-15}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware}, language = {English}, urldate = {2022-08-17} } A Deep Dive Into Black Basta Ransomware
Black Basta
2022-07-20KasperskyMarc Rivero López, Jornt van der Wiel, Dmitry Galov, Sergey Lozhkin
@online{lpez:20220720:luna:176a613, author = {Marc Rivero López and Jornt van der Wiel and Dmitry Galov and Sergey Lozhkin}, title = {{Luna and Black Basta — new ransomware for Windows, Linux and ESXi}}, date = {2022-07-20}, organization = {Kaspersky}, url = {https://securelist.com/luna-black-basta-ransomware/106950}, language = {English}, urldate = {2022-07-25} } Luna and Black Basta — new ransomware for Windows, Linux and ESXi
Black Basta Conti
2022-06-30Trend MicroKenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes, Melvin Singwa
@online{apostol:20220630:black:7464953, author = {Kenneth Adrian Apostol and Paolo Ronniel Labrador and Mirah Manlapig and James Panlilio and Emmanuel Panopio and John Kenneth Reyes and Melvin Singwa}, title = {{Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit}}, date = {2022-06-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html}, language = {English}, urldate = {2022-07-05} } Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot
2022-06-28GBHackers on SecurityGurubaran S
@online{s:20220628:black:e69f497, author = {Gurubaran S}, title = {{Black Basta Ransomware Emerging From Underground to Attack Corporate Networks}}, date = {2022-06-28}, organization = {GBHackers on Security}, url = {https://gbhackers.com/black-basta-ransomware/}, language = {English}, urldate = {2022-06-30} } Black Basta Ransomware Emerging From Underground to Attack Corporate Networks
Black Basta
2022-06-06NCC GroupRoss Inman, Peter Gurney
@online{inman:20220606:shining:4e6cd58, author = {Ross Inman and Peter Gurney}, title = {{Shining the Light on Black Basta}}, date = {2022-06-06}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/}, language = {English}, urldate = {2022-06-07} } Shining the Light on Black Basta
Black Basta
2022-06-01AvertiumAvertium
@online{avertium:20220601:indepth:ccc8f54, author = {Avertium}, title = {{An In-Depth Look At Black Basta Ransomware}}, date = {2022-06-01}, organization = {Avertium}, url = {https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware}, language = {English}, urldate = {2022-08-18} } An In-Depth Look At Black Basta Ransomware
Black Basta
2022-05-26IBMKevin Henson, Dave McMillen
@online{henson:20220526:black:f789f1b, author = {Kevin Henson and Dave McMillen}, title = {{Black Basta Besting Your Network?}}, date = {2022-05-26}, organization = {IBM}, url = {https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/}, language = {English}, urldate = {2022-06-09} } Black Basta Besting Your Network?
Black Basta
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09Trend MicroIeriz Nicolle Gonzalez, Ivan Nicole Chavez, Katherine Casona, Nathaniel Morales
@online{gonzalez:20220509:examining:c372e74, author = {Ieriz Nicolle Gonzalez and Ivan Nicole Chavez and Katherine Casona and Nathaniel Morales}, title = {{Examining the Black Basta Ransomware’s Infection Routine}}, date = {2022-05-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html}, language = {English}, urldate = {2022-05-17} } Examining the Black Basta Ransomware’s Infection Routine
Black Basta
2022-04-29The RecordJonathan Greig
@online{greig:20220429:german:d7fd313, author = {Jonathan Greig}, title = {{German wind farm operator confirms cybersecurity incident}}, date = {2022-04-29}, organization = {The Record}, url = {https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/}, language = {English}, urldate = {2022-05-03} } German wind farm operator confirms cybersecurity incident
Black Basta BlackCat
2022-04-27BleepingComputerBleepingComputer
@online{bleepingcomputer:20220427:new:e66d2b0, author = {BleepingComputer}, title = {{New Black Basta ransomware springs into action with a dozen breaches}}, date = {2022-04-27}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/}, language = {English}, urldate = {2022-04-29} } New Black Basta ransomware springs into action with a dozen breaches
Black Basta
2022-04-26Bleeping ComputerLawrence Abrams
@online{abrams:20220426:american:621959c, author = {Lawrence Abrams}, title = {{American Dental Association hit by new Black Basta ransomware}}, date = {2022-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/}, language = {English}, urldate = {2022-05-03} } American Dental Association hit by new Black Basta ransomware
Black Basta
Yara Rules
[TLP:WHITE] win_blackbasta_auto (20230715 | Detects win.blackbasta.)
rule win_blackbasta_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.blackbasta."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b8ffffff7f 8bd1 d1ea 2bc2 57 3bc8 7607 }
            // n = 7, score = 100
            //   b8ffffff7f           | mov                 eax, 0x7fffffff
            //   8bd1                 | mov                 edx, ecx
            //   d1ea                 | shr                 edx, 1
            //   2bc2                 | sub                 eax, edx
            //   57                   | push                edi
            //   3bc8                 | cmp                 ecx, eax
            //   7607                 | jbe                 9

        $sequence_1 = { 6800000080 ff15???????? 85c0 754d 837d1c08 8d4d08 }
            // n = 6, score = 100
            //   6800000080           | push                0x80000000
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   754d                 | jne                 0x4f
            //   837d1c08             | cmp                 dword ptr [ebp + 0x1c], 8
            //   8d4d08               | lea                 ecx, [ebp + 8]

        $sequence_2 = { c745bc0f000000 884da8 8b03 c745fc04000000 8b702c 8d8560ffffff }
            // n = 6, score = 100
            //   c745bc0f000000       | mov                 dword ptr [ebp - 0x44], 0xf
            //   884da8               | mov                 byte ptr [ebp - 0x58], cl
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   c745fc04000000       | mov                 dword ptr [ebp - 4], 4
            //   8b702c               | mov                 esi, dword ptr [eax + 0x2c]
            //   8d8560ffffff         | lea                 eax, [ebp - 0xa0]

        $sequence_3 = { 8bec 83ec14 56 8b7508 ff34b5bc430a10 e8???????? 50 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83ec14               | sub                 esp, 0x14
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   ff34b5bc430a10       | push                dword ptr [esi*4 + 0x100a43bc]
            //   e8????????           |                     
            //   50                   | push                eax

        $sequence_4 = { 83453040 41 8345340c 8b7d4c 8b5550 894d0c 85ff }
            // n = 7, score = 100
            //   83453040             | add                 dword ptr [ebp + 0x30], 0x40
            //   41                   | inc                 ecx
            //   8345340c             | add                 dword ptr [ebp + 0x34], 0xc
            //   8b7d4c               | mov                 edi, dword ptr [ebp + 0x4c]
            //   8b5550               | mov                 edx, dword ptr [ebp + 0x50]
            //   894d0c               | mov                 dword ptr [ebp + 0xc], ecx
            //   85ff                 | test                edi, edi

        $sequence_5 = { 8945ec 57 ff7508 ff7704 ff37 e8???????? 83c410 }
            // n = 7, score = 100
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   57                   | push                edi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff7704               | push                dword ptr [edi + 4]
            //   ff37                 | push                dword ptr [edi]
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_6 = { 0540420f00 8945ec 83d100 894de8 eb14 c745ecffffffff }
            // n = 6, score = 100
            //   0540420f00           | add                 eax, 0xf4240
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   83d100               | adc                 ecx, 0
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   eb14                 | jmp                 0x16
            //   c745ecffffffff       | mov                 dword ptr [ebp - 0x14], 0xffffffff

        $sequence_7 = { 64a100000000 50 64892500000000 83ec34 56 57 8d45c0 }
            // n = 7, score = 100
            //   64a100000000         | mov                 eax, dword ptr fs:[0]
            //   50                   | push                eax
            //   64892500000000       | mov                 dword ptr fs:[0], esp
            //   83ec34               | sub                 esp, 0x34
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d45c0               | lea                 eax, [ebp - 0x40]

        $sequence_8 = { 6a00 53 51 8bcf ff501c 5f 5e }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   8bcf                 | mov                 ecx, edi
            //   ff501c               | call                dword ptr [eax + 0x1c]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_9 = { c645b400 3b35???????? 740f ff7620 e8???????? 83c404 8bd0 }
            // n = 7, score = 100
            //   c645b400             | mov                 byte ptr [ebp - 0x4c], 0
            //   3b35????????         |                     
            //   740f                 | je                  0x11
            //   ff7620               | push                dword ptr [esi + 0x20]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bd0                 | mov                 edx, eax

    condition:
        7 of them and filesize < 1758208
}
[TLP:WHITE] win_blackbasta_w0   (20220722 | Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.)
rule win_blackbasta_w0 {
   meta:
      description = "Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates."
      author = "rcoliveira@protonmail.com"
      reference_1 = "https://securelist.com/luna-black-basta-ransomware/106950/"
      reference_2 = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
      hash_1 = "96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be"
      hash_2 = "0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef"
      date = "2022-07-21"
      sharing = "TLP:WHITE"
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
      malpedia_version = "20220722"
      malpedia_license = "CC BY-NC-SA 4.0"
      malpedia_sharing = "TLP:WHITE"
   strings:
      $s1 = "aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion" fullword ascii
      $s2 = "Your data are stolen and encrypted" fullword ascii
      $s3 = "The data will be published on TOR website if you do not pay the ransom" fullword ascii
      $s4 = "Input is not valid base64-encoded data." fullword ascii
      $s5 = "(you should download and install TOR browser first https://torproject.org)" fullword ascii
      $a1 = "_Z12EncryptBytesP8Chacha20PhS1_S1_i" fullword ascii
      $a2 = "_Z21GetEncryptedNextBlockP8Chacha20PN3ghc10filesystem13basic_fstreamIcSt11char_traitsIcEEEPhS8_ixS8_" fullword ascii /* score: '17.00'*/
      $a3 = "_ZNSt10_HashtableISsSt4pairIKSsPcESaIS3_ENSt8__detail10_Select1stESt8equal_toISsESt4hashISsENS5_18_Mod_range_hashingENS5_20_Default_ranged_hashENS5_20_Prime_rehash_policyENS5_17_Hashtable_traitsILb1ELb0ELb1EEEE21_M_insert_unique_nodeEmmPNS5_10_Hash_nodeIS3_Lb1EEE" fullword ascii
      $a4 = "_ZNSt8__detail9_Map_baseISsSt4pairIKSsPcESaIS4_ENS_10_Select1stESt8equal_toISsESt4hashISsENS_18_Mod_range_hashingENS_20_Default_ranged_hashENS_20_Prime_rehash_policyENS_17_Hashtable_traitsILb1ELb0ELb1EEELb1EEixEOSs" fullword ascii
      $a5 = "_ZN3ghc10filesystem4path28postprocess_path_with_formatENS1_6formatE" fullword ascii
      $a6 = "C:/Users/dssd/Desktop/src" fullword ascii
      $a7 = "totalBytesEncrypted" fullword ascii
   condition:
      filesize < 600KB and
      (1 of ($s*) and 1 of ($a*) ) or (8 of them)
}
Download all Yara Rules