Black Basta Ransomware and Threat Group | Intel 471 Skip to content

Black Basta Ransomware and Threat Group

May 15, 2024
Homepage Hero

Threat Overview - Black Basta Ransomware and Threat Group

**Black Basta** Ransomware and Threat Group (originally seen in 2022) is known to encrypt files on a victim's computer or network, and hold data "ransom" until the victim pays the attacker for the decryption key/software. Further, the group utilizes a double extortion tactic - which means that after the data is encrypted and held ransom, there also exists a threat of publishing the data (which was exfiltrated before encryption) to the public. Financially motivated and Russian-speaking, **Black Basta** operates under the Ransomware-as-a-Service (RaaS) model and has targeted many countries worldwide; including the United States, Japan, Australia, The United Kingdom, Canada and New Zealand.

Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!

Hunt Packages

Suspicious Scheduled Task Created - Execution Details Contains Scripting Reference

This content is designed to detect when scripting references are found in scheduled tasks. Malware and adversaries use this technique to maintain persistence on a compromised system.

ACCESS HUNT PACKAGE

Autorun or ASEP Registry Key Modification

A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.

ACCESS HUNT PACKAGE

Microsoft Defender Antivirus Disabled via Registry Key Manipulation (Powershell ScriptBlock Logging Detection)

This package is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key by changing the value from a 0 to a 1 via Powershell commandlets.

ACCESS HUNT PACKAGE

Potential Abuse of Built-in Network Tools for Network and Configuration Discovery

Searches for multiple LOLB network discovery and configuration tools being run in a short period of time. This indicates an attacker attempting to perform network discovery of assets that are reachable, as well as the local configuration of the system.

ACCESS HUNT PACKAGE

Potential Exfiltration - Common Rclone Arguments

This will identify processes executed with common arguments associated with rclone activity used to exfiltrate.

ACCESS HUNT PACKAGE

Living Off The Land Technique - Esentutl.exe

This package is designed when the Microsoft Windows native binary esentutl.exe is used to perform actions that may be abnormal and possibly malicious.

ACCESS HUNT PACKAGE

Excessive Windows Discovery and Execution Processes - Potential Malware Installation

This package utilizes a list of commonly abused LOLB which an attacker or malware would execute in quick succession. The presence of multiple executions of the programs within the list can be indicative of an infection or malicious activity occurring on a victim host. To reduce false positives, distinct counts per process name can be utilized to ensure over 5 unique processes from the list were executed versus just checking more than 6 events were generated on the host.

ACCESS HUNT PACKAGE

Usage of chmod to Enable Execution - Potential Payload Staging

This hunt package identifies instances where the 'chmod' command is used to modify file permissions, specifically focusing on changes that grant executable rights. By correlating these events with user contexts and known file paths, the package aims to highlight potentially malicious activities, such as the preparation of a system for exploitation or the setup of persistence mechanisms by unauthorized users.

ACCESS HUNT PACKAGE

Rundll32 Run Without Arguments

Rundll32 running without any command-line arguments is very anomalous and should be investigated. This can be indicative of malicious activity.

ACCESS HUNT PACKAGE

Suspicious Scheduled Task Created - Encoded PowerShell Payload Executed From Registry

This package is intended to identify when a scheduled task command is executed to create a task utilizing PowerShell to execute a base64 encoded payload that has been stored in the Windows Registry.

ACCESS HUNT PACKAGE

Atera Agent utilized for Unauthorized Remote Access

This package identifies when the Atera Agent is installed for remote connectivity by looking for key registry values or command line arguments used to install and register the agent to an unauthorized account. This package uses different artifacts in order to identify this behavior. Check out the 'Deployment Requirements' section for each tool in order to understand the limitations or requirements.

ACCESS HUNT PACKAGE

RDP Enabled Via NETSH

This hunt package is designed to capture the activity surrounding commandline arguments being executed in order to enable Remote Desktop Protocol (RDP).

ACCESS HUNT PACKAGE

Suspicious bcdedit Activity - Potential Ransomware

BCDEdit is a command-line tool for managing Boot Configuration Data (BCD). Ransomware is known to utilize bcdedit to modify the boot configuration to prevent recovery. The intent of this package is to identify when bcdedit is being utilized with several common malicious commands, such as delete and safeboot.

ACCESS HUNT PACKAGE

Local Data Staging - ADFind.exe

This content has been designed to identify when ADFind.exe is staging data, possibly for exfil, on a local resource.

ACCESS HUNT PACKAGE

Microsoft Defender Antivirus Disabled via Registry Key Manipulation

This content is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key or by modifying how Microsoft Defender will respond to threats based by changing the configuration through registry keys.

ACCESS HUNT PACKAGE

Suspicious Child Process - Calc.exe

This use case is meant to identify when calc.exe contains a child process other than calc.exe. Calc.exe containing a child process other than itself should be considered abnormal, and could be indicative of process injection or other malicious activity.

ACCESS HUNT PACKAGE

Shadow Copies Deletion Using Operating Systems Utilities

Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.

ACCESS HUNT PACKAGE

Regsvr32 Running Files from Temp Directories

This Hunt Package is designed to identify files executed (such as DLLs) from a temporary directory by regsvr32.exe. This LOLB is often abused to proxy execution or launch malicious applications/malware.

ACCESS HUNT PACKAGE