Overview:
- Black Basta is a prolific ransomware-as-a-service (RaaS) group employing double-extortion tactics (data encryption and exfiltration).
- Active since at least April 2022, the group has impacted over 500 organizations globally across various critical infrastructure sectors (as of May 2024).
- Utilizes spearphishing, social engineering, and vulnerability exploitation for initial access.
- Employs a sophisticated attack chain involving lateral movement, data exfiltration, and encryption.
- Demonstrates adaptability and evolution of tactics, including recent adoption of email bombing and Microsoft Teams for social engineering.
- Communicates ransom demands through Tor-accessible .onion URLs and publishes stolen data if ransoms are unpaid.
- Poses a significant threat due to its continued activity and impact on critical infrastructure.
Known Aliases:
Black Basta (primary alias).
Country of Origin:
Not known. The group’s activities have impacted organizations across North America, Europe, and Australia, suggesting a geographically dispersed operation or a group operating without strict geographical ties.
Known High-Profile/Notable Attacks/Victims/Most Recent Attacks:
Ascension: Disruption of 140 hospitals across 19 states and Washington D.C., causing system outages and cancellation of non-emergency procedures.
Synlab Italia: Network isolation and cancellation of all laboratory analysis and sample collection services across hundreds of locations in Italy.
Capita: The cyberattack caused disruption to some services provided to individual clients, but the majority of client services remained operational.
ABB: The attack resulted in unauthorized access to certain systems, but key services and systems are now operational.
Dish Network: The ransomware attack caused widespread network outages, impacting consumer apps, websites, and internal billing systems.
American Dental Association: The cyberattack on Change Healthcare, which processes dental claims, prevented many dentists from sending electronic claims and attachments to insurance companies.
Hyundai Motor Europe: The attackers have claimed to have accessed and stolen three terabytes of corporate data.
MITRE ATT&CK Tactics and Techniques:
- Initial Access: Spearphishing (T1566), spearphishing via voice/Microsoft Teams (T1566.004), exploiting public-facing applications (e.g., ConnectWise vulnerability CVE-2024-1709; T1190), and abuse of valid credentials (T1078).
- Discovery and Execution: Network scanning (using tools like SoftPerfect netscan.exe; T1036). Reconnaissance using innocuous file names (Intel or Dell) left on the C:\ drive (T1036).
- Privilege Escalation: Use of credential scraping tools like Mimikatz (T1068), and exploitation of vulnerabilities such as ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare (CVE-2021-34527) (T1068).
- Defense Evasion: Masquerading (T1036) using innocuous file names; impairing defenses by disabling antivirus products (using PowerShell; T1562.001) and EDR tooling (using a tool called Backstab; T1562.001).
- Execution: User execution (T1204) through social engineering to convince users to install remote access tools; command and scripting interpreter (PowerShell; T1059.001).
- Exfiltration and Encryption: Use of RClone for data exfiltration (prior to encryption); ChaCha20 encryption algorithm with an RSA-4096 public key (T1486); deletion of volume shadow copies (using vssadmin.exe; T1490).
- Impact: Data encrypted for impact (T1486); inhibit system recovery (T1490).
Common Methods of Infiltration:
- Primary infiltration method: Spearphishing, often combined with sophisticated social engineering.
- Exploitation of known vulnerabilities in software (e.g., ConnectWise).
- Leveraging tools like Qakbot for initial access and other attack stages.
- Primary ransomware: Black Basta ransomware.
