Site icon Check Point Blog

Check Point Research analyzes the newly emerged Black Basta Ransomware, alerts organizations to adopt prevention best practices

Highlights:

Introduction

According to recent findings from Check Point Research, in 2022, 1 out of 40 organizations worldwide were impacted on a weekly average by ransomware attacks. This constitutes a worrying 59% increase over the past year.
The ransomware business continues to grow exponentially due to the lucrative payments demanded – and often received – by cybercrime gangs. With the addition of double extortion, ransomware attacks became even more appealing: even if the victim refuses to pay, the stolen private data may be sold in a Darknet forum for a considerable sum.

Gone are the days when cybercrime attacks were carried out by lone enthusiasts, occasionally aided by some friends and like-minded persons. As uncovered in a recent Conti leak, the backend of a modern high-profile cybercrime operation is reminiscent of the structure of giant IT companies whose employees may be located all over the world, with dedicated roles and responsibilities. Judging by the attention to detail we observed in a recent Black Basta incident spotted by the Check Point Incident Response Team, the operators behind this ransomware also have an impressive organizational structure.

*Since May 2022, there were more than 89 cases of high-profile organizations who were extorted by the Black Basta gang. Data shows the group’s clear geo-specific focus on the US and Germany; 49% of the victims listed on the shame site are US accounts. According to reports, the group demanded millions of dollars as a ransom fee.

 

Country Number of victims Percentage of victims
United States 44 38%
Germany 16 14%
United Kingdom 4 3.5%
Austria 3 2.6%
Canada 3 2.6%
Switzerland 3 2.6%
Denmark 2 1.74%
France 2 1.74%
India 2 1.74%
Italy 2 1.74%
Other 6 5.22%
Total: 87 100%

Figure 1 – *Top 10 victims’ countries according to leak sites.

*Source: Black Basta’s “shame site”- site embedded into each ransom note dropped by Black Basta group. The group used this site to leak information about allegedly attacked companies who did not pay the ransom

In a new blog post, our CPR researchers describe the inner workings of a Black Basta campaign and pay special attention to the delivery stage where the main preparations for a smooth ransomware execution are made. They explain the numerous evasions and anti-analysis techniques that prevent emulators and sandboxes from detecting and analyzing the threat in an automated mode, while providing corresponding links to our Anti-Debug and Evasions encyclopedias. These sites are the ultimate sources of numerous techniques grouped by categories, with code examples and possible countermeasures to take. Finally, they present an overview of how Black Basta encrypts files in the system and how it is capable of lateral movement.

Delivery methods of the Black Basta Ransomware to the victim’s machines

Before the actual ransomware execution can start, the ransomware must be delivered to the victim’s machine. There are different ways for the dropper to deliver its payload to the selected victim’s machine. There can also be a chain execution of dropper modules (we observed the combination of QakBot and Cobalt Strike payloads) which finally leads to the ransomware execution.

Figure 2 – Possible ways Black Basta delivers ransomware to the victim’s machine.

Droppers can be much more sophisticated than a simple ransomware payload.

Delivery stage

Next, the Black Basta dropper mimics the application for creating USB bootable drives hosted on this site:

Figure 3 – Icon and description of the Black Basta dropper.

The application is digitally signed with the same certificate (issued by “Akeo Consulting”) used for legitimate executables from the Rufus website:

Figure 4 – Digital signature of the Black Basta dropper and the certificate issuer.

For more information on how to create a malicious application with a verified digital signature, see the dedicated article by the Check Point Research Team.

 

How to Prevent a Ransomware Attack

There are several actions that a company can take to minimize their exposure to and the potential impact of a ransomware attack.

Conclusion

Ransomware attacks are one of the most serious threats a victim may face. Contemporary ransomware attacks have a record of numerous successful extortions, and can move laterally within a network, thereby resulting in more and more guaranteed rewards when using a double extortion scheme.

Newly emerged Black Basta is already a successful ransomware player, who takes various precautions and carefully selects its victims before the actual data encryption is performed. The combination of soft and technical skills exhibited by the Black Basta gang, when successfully applied in a ransomware attack, can lead to truly devastating results.

As detailed in the blog and the technical research, not only is the ransomware itself engineered to inflict maximum damage in the least time possible, but the delivery stage is also stealthy, sophisticated, and effective. Black Basta knows without a doubt that the environment is safe and has a clean shot to perform the encryption.

Check Point’s Anti-Ransomware protects organizations from the most sophisticated ransomware attacks, including Black Basta, and safely recovers encrypted data.
Anti-Ransomware is offered as part of Harmony Endpoint, Check Point’s complete endpoint security solution. Harmony Endpoint provides comprehensive endpoint protection at the highest security level.

 

 

 

 

 

 

 

Exit mobile version