As cybersecurity researchers scramble to analyze a series of attacks from a rising threat group called Black Basta, they may be feeling a similar sentiment. The attacks aren’t exactly what we’ve seen before, but they look surprisingly familiar. The similarity in payment sites, leak sites, and observable mannerisms of its members have some analysts wondering if this group is a Conti rebrand.
While Black Basta’s attacks are relatively new, some information about their methods has been made public. The data encryption used by Black Basta requires administrator privileges to run. To start the encryption executable, the malware hijacked a legitimate Windows® service. Then it changes desktop background to show ransom note. Files on the target system are encrypted using the ChaCha20 algorithm. The key needed to decrypt the files is then encrypted with RSA-4096.
This malicious program encrypts files and appends their file names with a “.basta” extension. For example, a file initially titled “1.jpg” appeared as “1.jpg.basta”, “2.png” as “2.png.basta”, and so on for all affected files.
Once this process was complete, “Black Basta” changed the desktop background and created a ransom note called “readme.txt”. Based on the text presented in this file, it is clear that this ransomware targets businesses rather than home users.
As said in the note, victims can start the decryption process by visiting the attached Tor link and logging in to the chat with their company ID. Going further, the cybercriminals provided the necessary information and instructions on how to carry out the process. Some victims who reported their case of infection with Black Basta Ransomware showed that cyber criminals require 2 million dollars to pay for decryption. Although this sum is likely to vary depending on the size of the company affected and the value of the information collected.
In addition to all of the above, extortionists threaten that if victims do not negotiate a successful deal or intentionally decline the offer, all collected data will be subject to being published online. Sometimes the biggest danger of getting infected is not losing data, but risking losing your company’s reputation. Even so, decryption without the help of cybercriminals is almost impossible, although it is also not feasible to trust them since nothing guarantees that they will fulfill their part of the deal.
The most common ways to infect corporate networks are through NAS (Network Attached Storage) vulnerabilities, malicious email attachments, and Trojans. Many corporate victims tend to report that their NAS or QNAP got infected. This can sometimes happen due to unknown vulnerabilities and security flaws that most victims are not aware of, so taking extra security measures might be a good idea.
