SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackbasta (Back to overview)

Black Basta

aka: no_name_software

"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.

References
2023-01-25Quadrant Information SecurityQuadrant Information Security
@online{security:20230125:technical:eb69781, author = {Quadrant Information Security}, title = {{Technical Analysis: Black Basta Malware Overview}}, date = {2023-01-25}, organization = {Quadrant Information Security}, url = {https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview}, language = {English}, urldate = {2023-02-21} } Technical Analysis: Black Basta Malware Overview
Black Basta Black Basta
2022-12-01ZscalerZscaler
@online{zscaler:20221201:back:43320e6, author = {Zscaler}, title = {{Back in Black... Basta - Technical Analysis of BlackBasta Ransomware 2.0}}, date = {2022-12-01}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/back-black-basta}, language = {English}, urldate = {2022-12-02} } Back in Black... Basta - Technical Analysis of BlackBasta Ransomware 2.0
Black Basta
2022-11-23CybereasonCybereason Global SOC Team
@online{team:20221123:threat:17093cc, author = {Cybereason Global SOC Team}, title = {{THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies}}, date = {2022-11-23}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies}, language = {English}, urldate = {2022-11-25} } THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
Black Basta QakBot
2022-11-03SentinelOneSentinelLabs
@online{sentinellabs:20221103:black:0be02f3, author = {SentinelLabs}, title = {{Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor}}, date = {2022-11-03}, organization = {SentinelOne}, url = {https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta}, language = {English}, urldate = {2022-11-03} } Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor
Black Basta QakBot SocksBot
2022-11-03Sentinel LABSAntonio Cocomazzi
@online{cocomazzi:20221103:black:b0c2f05, author = {Antonio Cocomazzi}, title = {{Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor}}, date = {2022-11-03}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/}, language = {English}, urldate = {2022-11-15} } Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
Black Basta
2022-09-08Sentinel LABSAleksandar Milenkoski, Jim Walter
@online{milenkoski:20220908:crimeware:9c7be9a, author = {Aleksandar Milenkoski and Jim Walter}, title = {{Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection}}, date = {2022-09-08}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/}, language = {English}, urldate = {2022-09-10} } Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
AgendaCrypt Black Basta BlackCat PLAY
2022-09-01Trend MicroTrend Micro
@online{micro:20220901:ransomware:8eda6e4, author = {Trend Micro}, title = {{Ransomware Spotlight Black Basta}}, date = {2022-09-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta}, language = {English}, urldate = {2022-09-19} } Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot
2022-08-25Palo Alto Networks Unit 42Amer Elsad
@online{elsad:20220825:threat:b1026e7, author = {Amer Elsad}, title = {{Threat Assessment: Black Basta Ransomware}}, date = {2022-08-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware}, language = {English}, urldate = {2022-08-30} } Threat Assessment: Black Basta Ransomware
Black Basta
2022-08-25Palo Alto Networks Unit 42Amer Elsad
@online{elsad:20220825:threat:b3514ed, author = {Amer Elsad}, title = {{Threat Assessment: Black Basta Ransomware}}, date = {2022-08-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/}, language = {English}, urldate = {2022-10-05} } Threat Assessment: Black Basta Ransomware
Black Basta QakBot
2022-08-22MicrosoftMicrosoft
@online{microsoft:20220822:extortion:67c26d4, author = {Microsoft}, title = {{Extortion Economics - Ransomware’s new business model}}, date = {2022-08-22}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v}, language = {English}, urldate = {2022-08-31} } Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-15SecurityScorecardVlad Pasca
@online{pasca:20220815:deep:5f7d67c, author = {Vlad Pasca}, title = {{A Deep Dive Into Black Basta Ransomware}}, date = {2022-08-15}, organization = {SecurityScorecard}, url = {https://securityscorecard.pathfactory.com/all/a-deep-dive-into-bla}, language = {English}, urldate = {2022-08-17} } A Deep Dive Into Black Basta Ransomware
Black Basta
2022-08-15SecurityScorecardVlad Pasca
@online{pasca:20220815:deep:f0ad4f2, author = {Vlad Pasca}, title = {{A Deep Dive Into Black Basta Ransomware}}, date = {2022-08-15}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware}, language = {English}, urldate = {2022-08-17} } A Deep Dive Into Black Basta Ransomware
Black Basta
2022-07-20KasperskyMarc Rivero López, Jornt van der Wiel, Dmitry Galov, Sergey Lozhkin
@online{lpez:20220720:luna:176a613, author = {Marc Rivero López and Jornt van der Wiel and Dmitry Galov and Sergey Lozhkin}, title = {{Luna and Black Basta — new ransomware for Windows, Linux and ESXi}}, date = {2022-07-20}, organization = {Kaspersky}, url = {https://securelist.com/luna-black-basta-ransomware/106950}, language = {English}, urldate = {2022-07-25} } Luna and Black Basta — new ransomware for Windows, Linux and ESXi
Black Basta Conti
2022-06-30Trend MicroKenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes, Melvin Singwa
@online{apostol:20220630:black:7464953, author = {Kenneth Adrian Apostol and Paolo Ronniel Labrador and Mirah Manlapig and James Panlilio and Emmanuel Panopio and John Kenneth Reyes and Melvin Singwa}, title = {{Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit}}, date = {2022-06-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html}, language = {English}, urldate = {2022-07-05} } Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot
2022-06-28GBHackers on SecurityGurubaran S
@online{s:20220628:black:e69f497, author = {Gurubaran S}, title = {{Black Basta Ransomware Emerging From Underground to Attack Corporate Networks}}, date = {2022-06-28}, organization = {GBHackers on Security}, url = {https://gbhackers.com/black-basta-ransomware/}, language = {English}, urldate = {2022-06-30} } Black Basta Ransomware Emerging From Underground to Attack Corporate Networks
Black Basta
2022-06-06NCC GroupRoss Inman, Peter Gurney
@online{inman:20220606:shining:4e6cd58, author = {Ross Inman and Peter Gurney}, title = {{Shining the Light on Black Basta}}, date = {2022-06-06}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/}, language = {English}, urldate = {2022-06-07} } Shining the Light on Black Basta
Black Basta
2022-06-01AvertiumAvertium
@online{avertium:20220601:indepth:ccc8f54, author = {Avertium}, title = {{An In-Depth Look At Black Basta Ransomware}}, date = {2022-06-01}, organization = {Avertium}, url = {https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware}, language = {English}, urldate = {2022-08-18} } An In-Depth Look At Black Basta Ransomware
Black Basta
2022-05-26IBMKevin Henson, Dave McMillen
@online{henson:20220526:black:f789f1b, author = {Kevin Henson and Dave McMillen}, title = {{Black Basta Besting Your Network?}}, date = {2022-05-26}, organization = {IBM}, url = {https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/}, language = {English}, urldate = {2022-06-09} } Black Basta Besting Your Network?
Black Basta
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09Trend MicroIeriz Nicolle Gonzalez, Ivan Nicole Chavez, Katherine Casona, Nathaniel Morales
@online{gonzalez:20220509:examining:c372e74, author = {Ieriz Nicolle Gonzalez and Ivan Nicole Chavez and Katherine Casona and Nathaniel Morales}, title = {{Examining the Black Basta Ransomware’s Infection Routine}}, date = {2022-05-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html}, language = {English}, urldate = {2022-05-17} } Examining the Black Basta Ransomware’s Infection Routine
Black Basta
2022-04-29The RecordJonathan Greig
@online{greig:20220429:german:d7fd313, author = {Jonathan Greig}, title = {{German wind farm operator confirms cybersecurity incident}}, date = {2022-04-29}, organization = {The Record}, url = {https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/}, language = {English}, urldate = {2022-05-03} } German wind farm operator confirms cybersecurity incident
Black Basta BlackCat
2022-04-27BleepingComputerBleepingComputer
@online{bleepingcomputer:20220427:new:e66d2b0, author = {BleepingComputer}, title = {{New Black Basta ransomware springs into action with a dozen breaches}}, date = {2022-04-27}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/}, language = {English}, urldate = {2022-04-29} } New Black Basta ransomware springs into action with a dozen breaches
Black Basta
2022-04-26Bleeping ComputerLawrence Abrams
@online{abrams:20220426:american:621959c, author = {Lawrence Abrams}, title = {{American Dental Association hit by new Black Basta ransomware}}, date = {2022-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/}, language = {English}, urldate = {2022-05-03} } American Dental Association hit by new Black Basta ransomware
Black Basta
Yara Rules
[TLP:WHITE] win_blackbasta_auto (20230125 | Detects win.blackbasta.)
rule win_blackbasta_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.blackbasta."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b00 8b7020 8bce ff15???????? 8b4dc8 ffd6 8b75b0 }
            // n = 7, score = 100
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b7020               | mov                 esi, dword ptr [eax + 0x20]
            //   8bce                 | mov                 ecx, esi
            //   ff15????????         |                     
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   ffd6                 | call                esi
            //   8b75b0               | mov                 esi, dword ptr [ebp - 0x50]

        $sequence_1 = { 8d5e20 85c0 7439 394508 720d 50 51 }
            // n = 7, score = 100
            //   8d5e20               | lea                 ebx, [esi + 0x20]
            //   85c0                 | test                eax, eax
            //   7439                 | je                  0x3b
            //   394508               | cmp                 dword ptr [ebp + 8], eax
            //   720d                 | jb                  0xf
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_2 = { 8bfe f3ab 56 e8???????? 83c404 5f 8b4df4 }
            // n = 7, score = 100
            //   8bfe                 | mov                 edi, esi
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   5f                   | pop                 edi
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_3 = { 83c408 5f 5e 8b4df4 64890d00000000 8d6564 5d }
            // n = 7, score = 100
            //   83c408               | add                 esp, 8
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   8d6564               | lea                 esp, [ebp + 0x64]
            //   5d                   | pop                 ebp

        $sequence_4 = { 89b578ffffff c74528ffffffff 89752c 897530 89751c 897520 c6451800 }
            // n = 7, score = 100
            //   89b578ffffff         | mov                 dword ptr [ebp - 0x88], esi
            //   c74528ffffffff       | mov                 dword ptr [ebp + 0x28], 0xffffffff
            //   89752c               | mov                 dword ptr [ebp + 0x2c], esi
            //   897530               | mov                 dword ptr [ebp + 0x30], esi
            //   89751c               | mov                 dword ptr [ebp + 0x1c], esi
            //   897520               | mov                 dword ptr [ebp + 0x20], esi
            //   c6451800             | mov                 byte ptr [ebp + 0x18], 0

        $sequence_5 = { ff7508 8bd9 8d8558ffffff 68???????? 899d70ffffff 50 c745f000000000 }
            // n = 7, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8bd9                 | mov                 ebx, ecx
            //   8d8558ffffff         | lea                 eax, [ebp - 0xa8]
            //   68????????           |                     
            //   899d70ffffff         | mov                 dword ptr [ebp - 0x90], ebx
            //   50                   | push                eax
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0

        $sequence_6 = { 8b74241c 85f6 744d 53 8a5c241c 85c0 7439 }
            // n = 7, score = 100
            //   8b74241c             | mov                 esi, dword ptr [esp + 0x1c]
            //   85f6                 | test                esi, esi
            //   744d                 | je                  0x4f
            //   53                   | push                ebx
            //   8a5c241c             | mov                 bl, byte ptr [esp + 0x1c]
            //   85c0                 | test                eax, eax
            //   7439                 | je                  0x3b

        $sequence_7 = { 8a80405d0a10 8b4d88 888560ffffff ffb560ffffff e8???????? 837dec10 8d4dd8 }
            // n = 7, score = 100
            //   8a80405d0a10         | mov                 al, byte ptr [eax + 0x100a5d40]
            //   8b4d88               | mov                 ecx, dword ptr [ebp - 0x78]
            //   888560ffffff         | mov                 byte ptr [ebp - 0xa0], al
            //   ffb560ffffff         | push                dword ptr [ebp - 0xa0]
            //   e8????????           |                     
            //   837dec10             | cmp                 dword ptr [ebp - 0x14], 0x10
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]

        $sequence_8 = { 8b4508 6a01 57 ff7004 ff30 e8???????? 83c9ff }
            // n = 7, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   6a01                 | push                1
            //   57                   | push                edi
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   83c9ff               | or                  ecx, 0xffffffff

        $sequence_9 = { 83c11c c745f000000000 56 57 8d55a8 8b01 }
            // n = 6, score = 100
            //   83c11c               | add                 ecx, 0x1c
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d55a8               | lea                 edx, [ebp - 0x58]
            //   8b01                 | mov                 eax, dword ptr [ecx]

    condition:
        7 of them and filesize < 1758208
}
[TLP:WHITE] win_blackbasta_w0   (20220722 | Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.)
rule win_blackbasta_w0 {
   meta:
      description = "Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates."
      author = "rcoliveira@protonmail.com"
      reference_1 = "https://securelist.com/luna-black-basta-ransomware/106950/"
      reference_2 = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
      hash_1 = "96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be"
      hash_2 = "0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef"
      date = "2022-07-21"
      sharing = "TLP:WHITE"
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
      malpedia_version = "20220722"
      malpedia_license = "CC BY-NC-SA 4.0"
      malpedia_sharing = "TLP:WHITE"
   strings:
      $s1 = "aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion" fullword ascii
      $s2 = "Your data are stolen and encrypted" fullword ascii
      $s3 = "The data will be published on TOR website if you do not pay the ransom" fullword ascii
      $s4 = "Input is not valid base64-encoded data." fullword ascii
      $s5 = "(you should download and install TOR browser first https://torproject.org)" fullword ascii
      $a1 = "_Z12EncryptBytesP8Chacha20PhS1_S1_i" fullword ascii
      $a2 = "_Z21GetEncryptedNextBlockP8Chacha20PN3ghc10filesystem13basic_fstreamIcSt11char_traitsIcEEEPhS8_ixS8_" fullword ascii /* score: '17.00'*/
      $a3 = "_ZNSt10_HashtableISsSt4pairIKSsPcESaIS3_ENSt8__detail10_Select1stESt8equal_toISsESt4hashISsENS5_18_Mod_range_hashingENS5_20_Default_ranged_hashENS5_20_Prime_rehash_policyENS5_17_Hashtable_traitsILb1ELb0ELb1EEEE21_M_insert_unique_nodeEmmPNS5_10_Hash_nodeIS3_Lb1EEE" fullword ascii
      $a4 = "_ZNSt8__detail9_Map_baseISsSt4pairIKSsPcESaIS4_ENS_10_Select1stESt8equal_toISsESt4hashISsENS_18_Mod_range_hashingENS_20_Default_ranged_hashENS_20_Prime_rehash_policyENS_17_Hashtable_traitsILb1ELb0ELb1EEELb1EEixEOSs" fullword ascii
      $a5 = "_ZN3ghc10filesystem4path28postprocess_path_with_formatENS1_6formatE" fullword ascii
      $a6 = "C:/Users/dssd/Desktop/src" fullword ascii
      $a7 = "totalBytesEncrypted" fullword ascii
   condition:
      filesize < 600KB and
      (1 of ($s*) and 1 of ($a*) ) or (8 of them)
}
Download all Yara Rules