Black Basta (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.blackbasta (Back to overview)

Black Basta

aka: no_name_software

VTCollection

"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.

References

2024-02-28 ⋅ Security Intelligence ⋅ Golo Mühr, Ole Villadsen
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023
404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos

2023-11-16 ⋅ YouTube (Swiss Cyber Storm) ⋅ Angelo Violetti
Resilience Rising: Countering the Threat Actors Behind Black Basta Ransomware
Black Basta

2023-06-27 ⋅ SecurityIntelligence ⋅ Charlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot

2023-04-19 ⋅ Bleeping Computer ⋅ Bill Toulas
March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader

2023-03-15 ⋅ Reliaquest ⋅ RELIAQUEST THREAT RESEARCH TEAM
QBot: Laying the Foundations for Black Basta Ransomware Activity
Black Basta QakBot

2023-01-25 ⋅ Quadrant Information Security ⋅ Quadrant Information Security
Technical Analysis: Black Basta Malware Overview
Black Basta Black Basta

2023-01-23 ⋅ Kroll ⋅ Elio Biasiotto, Stephen Green
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC

2022-12-01 ⋅ Zscaler ⋅ Zscaler
Back in Black... Basta - Technical Analysis of BlackBasta Ransomware 2.0
Black Basta

2022-11-23 ⋅ Cybereason ⋅ Cybereason Global SOC Team
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
Black Basta QakBot

2022-11-03 ⋅ Sentinel LABS ⋅ Antonio Cocomazzi
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
Black Basta

2022-11-03 ⋅ SentinelOne ⋅ SentinelLabs
Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor
Black Basta QakBot SocksBot

2022-10-12 ⋅ Trend Micro ⋅ Ian Kenefick, Lucas Silva, Nicole Hernandez
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Black Basta Brute Ratel C4 Cobalt Strike QakBot

2022-09-08 ⋅ Sentinel LABS ⋅ Aleksandar Milenkoski, Jim Walter
Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
AgendaCrypt Black Basta BlackCat PLAY

2022-09-01 ⋅ Trend Micro ⋅ Trend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot

2022-08-25 ⋅ Palo Alto Networks Unit 42 ⋅ Amer Elsad
Threat Assessment: Black Basta Ransomware
Black Basta QakBot

2022-08-25 ⋅ Palo Alto Networks Unit 42 ⋅ Amer Elsad
Threat Assessment: Black Basta Ransomware
Black Basta

2022-08-22 ⋅ Microsoft ⋅ Microsoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk

2022-08-15 ⋅ SecurityScorecard ⋅ Vlad Pasca
A Deep Dive Into Black Basta Ransomware
Black Basta

2022-07-20 ⋅ Kaspersky ⋅ Dmitry Galov, Jornt van der Wiel, Marc Rivero López, Sergey Lozhkin
Luna and Black Basta — new ransomware for Windows, Linux and ESXi
Black Basta Conti

2022-06-30 ⋅ Trend Micro ⋅ Emmanuel Panopio, James Panlilio, John Kenneth Reyes, Kenneth Adrian Apostol, Melvin Singwa, Mirah Manlapig, Paolo Ronniel Labrador
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot

2022-06-28 ⋅ GBHackers on Security ⋅ Gurubaran S
Black Basta Ransomware Emerging From Underground to Attack Corporate Networks
Black Basta

2022-06-06 ⋅ NCC Group ⋅ Peter Gurney, Ross Inman
Shining the Light on Black Basta
Black Basta

2022-06-01 ⋅ Avertium ⋅ Avertium
An In-Depth Look At Black Basta Ransomware
Black Basta

2022-05-26 ⋅ IBM ⋅ Dave McMillen, Kevin Henson
Black Basta Besting Your Network?
Black Basta

2022-05-20 ⋅ AdvIntel ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive

2022-05-09 ⋅ Trend Micro ⋅ Ieriz Nicolle Gonzalez, Ivan Nicole Chavez, Katherine Casona, Nathaniel Morales
Examining the Black Basta Ransomware’s Infection Routine
Black Basta

2022-04-29 ⋅ The Record ⋅ Jonathan Greig
German wind farm operator confirms cybersecurity incident
Black Basta BlackCat

2022-04-27 ⋅ BleepingComputer ⋅ BleepingComputer
New Black Basta ransomware springs into action with a dozen breaches
Black Basta

2022-04-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams
American Dental Association hit by new Black Basta ransomware
Black Basta

Yara Rules

[TLP:WHITE] win_blackbasta_auto (20230808 | Detects win.blackbasta.)

rule win_blackbasta_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.blackbasta."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff7590 8bcf e8???????? 84c0 751f 384704 7507 }
            // n = 7, score = 100
            //   ff7590               | push                dword ptr [ebp - 0x70]
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   751f                 | jne                 0x21
            //   384704               | cmp                 byte ptr [edi + 4], al
            //   7507                 | jne                 9

        $sequence_1 = { 89b574ffffff 894588 89458c e8???????? 84c0 755d 384304 }
            // n = 7, score = 100
            //   89b574ffffff         | mov                 dword ptr [ebp - 0x8c], esi
            //   894588               | mov                 dword ptr [ebp - 0x78], eax
            //   89458c               | mov                 dword ptr [ebp - 0x74], eax
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   755d                 | jne                 0x5f
            //   384304               | cmp                 byte ptr [ebx + 4], al

        $sequence_2 = { 5b 8b4df4 64890d00000000 8d656c 5d c3 8d4d30 }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   8d656c               | lea                 esp, [ebp + 0x6c]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8d4d30               | lea                 ecx, [ebp + 0x30]

        $sequence_3 = { e8???????? 83c404 85c0 0f849d010000 8d5823 83e3e0 8943fc }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   0f849d010000         | je                  0x1a3
            //   8d5823               | lea                 ebx, [eax + 0x23]
            //   83e3e0               | and                 ebx, 0xffffffe0
            //   8943fc               | mov                 dword ptr [ebx - 4], eax

        $sequence_4 = { c745e000000000 c745e40f000000 c645d000 c745fc00000000 ff734c e8???????? 83c404 }
            // n = 7, score = 100
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   c745e40f000000       | mov                 dword ptr [ebp - 0x1c], 0xf
            //   c645d000             | mov                 byte ptr [ebp - 0x30], 0
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   ff734c               | push                dword ptr [ebx + 0x4c]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_5 = { b867666666 c645e800 f7ea c1fa05 8bc2 c1e81f 03c2 }
            // n = 7, score = 100
            //   b867666666           | mov                 eax, 0x66666667
            //   c645e800             | mov                 byte ptr [ebp - 0x18], 0
            //   f7ea                 | imul                edx
            //   c1fa05               | sar                 edx, 5
            //   8bc2                 | mov                 eax, edx
            //   c1e81f               | shr                 eax, 0x1f
            //   03c2                 | add                 eax, edx

        $sequence_6 = { 85f6 7462 8b7d28 3bf7 7416 0f1f440000 8bce }
            // n = 7, score = 100
            //   85f6                 | test                esi, esi
            //   7462                 | je                  0x64
            //   8b7d28               | mov                 edi, dword ptr [ebp + 0x28]
            //   3bf7                 | cmp                 esi, edi
            //   7416                 | je                  0x18
            //   0f1f440000           | nop                 dword ptr [eax + eax]
            //   8bce                 | mov                 ecx, esi

        $sequence_7 = { 56 e8???????? 83463008 83c410 0fb6c3 81c500020000 8b5c2474 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   e8????????           |                     
            //   83463008             | add                 dword ptr [esi + 0x30], 8
            //   83c410               | add                 esp, 0x10
            //   0fb6c3               | movzx               eax, bl
            //   81c500020000         | add                 ebp, 0x200
            //   8b5c2474             | mov                 ebx, dword ptr [esp + 0x74]

        $sequence_8 = { 8d4dc0 e8???????? 837e1401 741a 837dec01 740d 8d45d8 }
            // n = 7, score = 100
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   e8????????           |                     
            //   837e1401             | cmp                 dword ptr [esi + 0x14], 1
            //   741a                 | je                  0x1c
            //   837dec01             | cmp                 dword ptr [ebp - 0x14], 1
            //   740d                 | je                  0xf
            //   8d45d8               | lea                 eax, [ebp - 0x28]

        $sequence_9 = { 83c410 8bce 50 68???????? e8???????? 8bf0 c78574ffffff00000000 }
            // n = 7, score = 100
            //   83c410               | add                 esp, 0x10
            //   8bce                 | mov                 ecx, esi
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   c78574ffffff00000000     | mov    dword ptr [ebp - 0x8c], 0

    condition:
        7 of them and filesize < 1758208
}

[TLP:WHITE] win_blackbasta_w0 (20220722 | Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.)

rule win_blackbasta_w0 {
   meta:
      description = "Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates."
      author = "rcoliveira@protonmail.com"
      reference_1 = "https://securelist.com/luna-black-basta-ransomware/106950/"
      reference_2 = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
      hash_1 = "96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be"
      hash_2 = "0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef"
      date = "2022-07-21"
      sharing = "TLP:WHITE"
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
      malpedia_version = "20220722"
      malpedia_license = "CC BY-NC-SA 4.0"
      malpedia_sharing = "TLP:WHITE"
   strings:
      $s1 = "aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion" fullword ascii
      $s2 = "Your data are stolen and encrypted" fullword ascii
      $s3 = "The data will be published on TOR website if you do not pay the ransom" fullword ascii
      $s4 = "Input is not valid base64-encoded data." fullword ascii
      $s5 = "(you should download and install TOR browser first https://torproject.org)" fullword ascii
      $a1 = "_Z12EncryptBytesP8Chacha20PhS1_S1_i" fullword ascii
      $a2 = "_Z21GetEncryptedNextBlockP8Chacha20PN3ghc10filesystem13basic_fstreamIcSt11char_traitsIcEEEPhS8_ixS8_" fullword ascii /* score: '17.00'*/
      $a3 = "_ZNSt10_HashtableISsSt4pairIKSsPcESaIS3_ENSt8__detail10_Select1stESt8equal_toISsESt4hashISsENS5_18_Mod_range_hashingENS5_20_Default_ranged_hashENS5_20_Prime_rehash_policyENS5_17_Hashtable_traitsILb1ELb0ELb1EEEE21_M_insert_unique_nodeEmmPNS5_10_Hash_nodeIS3_Lb1EEE" fullword ascii
      $a4 = "_ZNSt8__detail9_Map_baseISsSt4pairIKSsPcESaIS4_ENS_10_Select1stESt8equal_toISsESt4hashISsENS_18_Mod_range_hashingENS_20_Default_ranged_hashENS_20_Prime_rehash_policyENS_17_Hashtable_traitsILb1ELb0ELb1EEELb1EEixEOSs" fullword ascii
      $a5 = "_ZN3ghc10filesystem4path28postprocess_path_with_formatENS1_6formatE" fullword ascii
      $a6 = "C:/Users/dssd/Desktop/src" fullword ascii
      $a7 = "totalBytesEncrypted" fullword ascii
   condition:
      filesize < 600KB and
      (1 of ($s*) and 1 of ($a*) ) or (8 of them)
}

Download all Yara Rules

Black Basta Propose Change

References

Yara Rules

Black Basta