Highlights:
- Check Point Research (CPR) puts a special spotlight on how the Black Basta gang delivers malware to its victims and provides best practices to lower risks of being victimized
- CPR details evasions and anti-analysis techniques of this ransomware, which was found to prevent security protections from detecting this malware
- Check Point Research provides links to our anti-debug and evasions encyclopedias, and present an overview of the Black Basta encryption and lateral movement capabilities
Introduction
According to recent findings from Check Point Research, in 2022, 1 out of 40 organizations worldwide were impacted on a weekly average by ransomware attacks. This constitutes a worrying 59% increase over the past year.
The ransomware business continues to grow exponentially due to the lucrative payments demanded – and often received – by cybercrime gangs. With the addition of double extortion, ransomware attacks became even more appealing: even if the victim refuses to pay, the stolen private data may be sold in a Darknet forum for a considerable sum.
Gone are the days when cybercrime attacks were carried out by lone enthusiasts, occasionally aided by some friends and like-minded persons. As uncovered in a recent Conti leak, the backend of a modern high-profile cybercrime operation is reminiscent of the structure of giant IT companies whose employees may be located all over the world, with dedicated roles and responsibilities. Judging by the attention to detail we observed in a recent Black Basta incident spotted by the Check Point Incident Response Team, the operators behind this ransomware also have an impressive organizational structure.
*Since May 2022, there were more than 89 cases of high-profile organizations who were extorted by the Black Basta gang. Data shows the group’s clear geo-specific focus on the US and Germany; 49% of the victims listed on the shame site are US accounts. According to reports, the group demanded millions of dollars as a ransom fee.
Country | Number of victims | Percentage of victims |
United States | 44 | 38% |
Germany | 16 | 14% |
United Kingdom | 4 | 3.5% |
Austria | 3 | 2.6% |
Canada | 3 | 2.6% |
Switzerland | 3 | 2.6% |
Denmark | 2 | 1.74% |
France | 2 | 1.74% |
India | 2 | 1.74% |
Italy | 2 | 1.74% |
Other | 6 | 5.22% |
Total: | 87 | 100% |
Figure 1 – *Top 10 victims’ countries according to leak sites.
*Source: Black Basta’s “shame site”- site embedded into each ransom note dropped by Black Basta group. The group used this site to leak information about allegedly attacked companies who did not pay the ransom
In a new blog post, our CPR researchers describe the inner workings of a Black Basta campaign and pay special attention to the delivery stage where the main preparations for a smooth ransomware execution are made. They explain the numerous evasions and anti-analysis techniques that prevent emulators and sandboxes from detecting and analyzing the threat in an automated mode, while providing corresponding links to our Anti-Debug and Evasions encyclopedias. These sites are the ultimate sources of numerous techniques grouped by categories, with code examples and possible countermeasures to take. Finally, they present an overview of how Black Basta encrypts files in the system and how it is capable of lateral movement.
Delivery methods of the Black Basta Ransomware to the victim’s machines
Before the actual ransomware execution can start, the ransomware must be delivered to the victim’s machine. There are different ways for the dropper to deliver its payload to the selected victim’s machine. There can also be a chain execution of dropper modules (we observed the combination of QakBot and Cobalt Strike payloads) which finally leads to the ransomware execution.
Figure 2 – Possible ways Black Basta delivers ransomware to the victim’s machine.
Droppers can be much more sophisticated than a simple ransomware payload.
Delivery stage
Next, the Black Basta dropper mimics the application for creating USB bootable drives hosted on this site:
Figure 3 – Icon and description of the Black Basta dropper.
The application is digitally signed with the same certificate (issued by “Akeo Consulting”) used for legitimate executables from the Rufus website:
Figure 4 – Digital signature of the Black Basta dropper and the certificate issuer.
For more information on how to create a malicious application with a verified digital signature, see the dedicated article by the Check Point Research Team.
How to Prevent a Ransomware Attack
There are several actions that a company can take to minimize their exposure to and the potential impact of a ransomware attack.
- Robust Data Backup: The goal of ransomware is to force the victim to pay a ransom in order to regain access to their encrypted data. However, this is only effective if the target actually loses access to their data. A robust, secure data backup solution is an effective way to mitigate the impact of a ransomware attack. If systems are backed up regularly, then the data lost to a ransomware attack should be minimal or non-existent. However, it is important to ensure that the data backup solution cannot be encrypted as well. Data should be stored in a read-only format to prevent the spread of ransomware to drives containing recovery data.
- Up-to-Date Patches: Keeping computers and servers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks.
- Keep your software updated. Ransomware attackers sometimes find an entry point within your apps and software, noting vulnerabilities and capitalizing on them. Fortunately, some developers are actively searching for new vulnerabilities and patching them out. If you want to make use of these patches, you need to have a patch management strategy in place—and you need to make sure all your team members are constantly up to date with the latest versions.
- Scan and monitor emails. Emails are a common choice for cybercriminals executing phishing schemes, so take the time to scan and monitor emails on an ongoing basis, and consider deploying an automated email security solution to block malicious emails from ever reaching users.
- Scan and monitor file activity. It is also a good idea to scan and monitor file activity. You should be notified whenever there is a suspicious file in play—before it becomes a threat.
- Anti-Ransomware Solutions: Anti-ransomware solutions monitor programs running on a computer for suspicious behaviors commonly exhibited by ransomware, and if these behaviors are detected, the program can take action to stop encryption before further damage can be done.
- Cyber Awareness Training: Phishing emails are one of the most popular ways to spread ransom malware. By tricking a user into clicking on a link or opening a malicious attachment, cybercriminals can gain access to the employee’s computer and begin the process of installing and executing the ransomware program on it. Frequent cybersecurity awareness training is crucial to protecting the organization against ransomware. This training should instruct employees to do the following:
- Not click on malicious links
- Never open unexpected or untrusted attachments
- Avoid revealing personal or sensitive data to phishers
- Verify software legitimacy before downloading it
- Never plug an unknown USB into their computer
- Use a VPN when connecting via untrusted or public Wi-Fi
Conclusion
Ransomware attacks are one of the most serious threats a victim may face. Contemporary ransomware attacks have a record of numerous successful extortions, and can move laterally within a network, thereby resulting in more and more guaranteed rewards when using a double extortion scheme.
Newly emerged Black Basta is already a successful ransomware player, who takes various precautions and carefully selects its victims before the actual data encryption is performed. The combination of soft and technical skills exhibited by the Black Basta gang, when successfully applied in a ransomware attack, can lead to truly devastating results.
As detailed in the blog and the technical research, not only is the ransomware itself engineered to inflict maximum damage in the least time possible, but the delivery stage is also stealthy, sophisticated, and effective. Black Basta knows without a doubt that the environment is safe and has a clean shot to perform the encryption.
Check Point’s Anti-Ransomware protects organizations from the most sophisticated ransomware attacks, including Black Basta, and safely recovers encrypted data.
Anti-Ransomware is offered as part of Harmony Endpoint, Check Point’s complete endpoint security solution. Harmony Endpoint provides comprehensive endpoint protection at the highest security level.