SUMMARY
Note : This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.
This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally.
Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.
Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions. The authoring organizations urge HPH Sector and all critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from Black Basta and other ransomware attacks. Victims of ransomware should report the incident to their local FBI field office or CISA (see the Reporting section for contact information).
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool .
Initial Access
Black Basta affiliates primarily use spearphishing [T1566 ] to obtain initial access. According to cybersecurity researchers, affiliates have also used Qakbot during initial access.[1 ]
Starting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709 [CWE-288 ] [T1190 ]. In some instances, affiliates have been observed abusing valid credentials [T1078 ].
Discovery and Execution
Black Basta affiliates use tools such as SoftPerfect network scanner (netscan.exe ) to conduct network scanning. Cybersecurity researchers have observed affiliates conducting reconnaissance using utilities with innocuous file names such as Intel or Dell , left in the root drive C: [T1036 ].[1 ]
Lateral Movement
Black Basta affiliates use tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol (RDP), for lateral movement. Some affiliates also use tools like Splashtop, Screen Connect, and Cobalt Strike beacons to assist with remote access and lateral movement.
Privilege Escalation and Lateral Movement
Black Basta affiliates use credential scraping tools like Mimikatz for privilege escalation. According to cybersecurity researchers, Black Basta affiliates have also exploited ZeroLogon (CVE-2020-1472 , [CWE-330 ]), NoPac (CVE-2021-42278 [CWE-20 ] and CVE-2021-42287 [CWE-269 ]), and PrintNightmare (CVE-2021-34527 , [CWE-269 ]) vulnerabilities for local and Windows Active Domain privilege escalation [T1068 ].[1 ],[2 ]
Exfiltration and Encryption
Black Basta affiliates use RClone to facilitate data exfiltration prior to encryption. Prior to exfiltration, cybersecurity researchers have observed Black Basta affiliates using PowerShell [T1059.001 ] to disable antivirus products, and in some instances, deploying a tool called Backstab, designed to disable endpoint detection and response (EDR) tooling [T1562.001 ].[3 ] Once antivirus programs are terminated, a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files [T1486 ]. A .basta or otherwise random file extension is added to file names and a ransom note titled readme.txt is left on the compromised system.[4 ] To further inhibit system recovery, affiliates use the vssadmin.exe program to delete volume shadow copies [T1490 ].[5 ]
Leveraged Tools
See Table 1 for publicly available tools and applications used by Black Basta affiliates. This includes legitimate tools repurposed for their operations.
Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.
Table 1: Tools Used by Black Basta Affiliates
Tool Name
Description
BITSAdmin
A command-line utility that manages downloads/uploads between a client and server by using the Background Intelligent Transfer Service (BITS) to perform asynchronous file transfers.
Cobalt Strike
A penetration testing tool used by security professions to test the security of networks and systems. Black Basta affiliates have used it to assist with lateral movement and file execution.
Mimikatz
A tool that allows users to view and save authentication credentials such as Kerberos tickets. Black Basta affiliates have used it to aid in privilege escalation.
PSExec
A tool designed to run programs and execute commands on remote systems.
PowerShell
A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
RClone
A command line program used to sync files with cloud storage services such as Mega.
SoftPerfect
A network scanner (netscan.exe ) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell. It also scans for remote services, registry, files, and performance counters.
ScreenConnect
Remote support, access, and meeting software that allows users to control devices remotely over the internet.
Splashtop
Remote desktop software that allows remote access to devices for support, access, and collaboration.
WinSCP
Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Black Basta affiliates have used it to transfer data from a compromised network to actor-controlled accounts.
MITRE ATT&CK TACTICS AND TECHNIQUES
See Tables 2–6 for all referenced threat actor tactics and techniques in this advisory.
Table 2: Black Basta ATT&CK Techniques for Initial Access
Technique Title
ID
Use
Phishing
T1566
Black Basta affiliates have used spearphishing emails to obtain initial access.
Exploit Public-Facing Application
T1190
Black Basta affiliates have exploited ConnectWise vulnerability CVE-2024-1709 to obtain initial access.
Table 3: Black Basta ATT&CK Techniques for Privilege Escalation
Technique Title
ID
Use
Exploitation for Privilege Escalation
T1068
Black Basta affiliates