Analyzing Black Basta Ransomware TTPs
Industries: Agriculture, Consulting, Energy, Government, Manufacturing, Professional Services, Real Estate, Transportation, Utilities | Level: Tactical | Source: Unit42
Palo Alto Unit42 provided updated research of the ransomware-as-a-service (RaaS) gang, Black Basta. The threat group has been prolific since their emergence in the first quarter of 2022. A review of their Basta News data leak site set up to name-and-shame victims highlights the group's effectiveness of compromising over 75 entities (to-date). Of the victims listed, at least 20 were posted on the site within the first two weeks of the ransomware's operations. The ransomware group is likely a group assembled from affiliate members of different groups, as inferred by Unit42, "Based on multiple similarities in tactics, techniques and procedures (TTPs) - victim-shaming blogs, recovery portals, negotiation tactics, and how quickly Black Basta amassed its victims - the Black Basta group could include current or former members of the Conti group." Unit42 shared research of an attack chain executed by Black Basta, using Qakbot/Qbot as their initial access point to launch cobalt strike and ultimately deploy their ransomware. Black Basta has compromised a large number of industries across many different verticals including agriculture, consulting, energy, government, manufacturing, professional services, real estate, transportation, and utilities. The group's website specifically states interest to target organizations located in the United States, United Kingdom, Australia, Canada and New Zealand.
- Black Basta Attack with QBot, CS Recon and Lateral Movement
Anvilogic Use Cases:
- Wscript/Cscript Execution
- Modify Group Policy
- Remote Admin Tools