Introduction
FortiSandbox seamlessly integrates with various Security Fabric platform products, offering a straightforward approach to safeguarding against breaches. Upon detecting malicious code, FortiSandbox promptly responds by assigning risk ratings and instantly sharing local intelligence with Fortinet Security Fabric, Fabric-Ready Partners, and other security solutions.
In this article, we showcase the capability of FortiSandbox in identifying and documenting the behaviors of ransomware associated to the Black Basta group. Before looking into specifics, it is important to understand the fundamental concept of a ransomware. This type of malware is designed to block access to computer systems or files until ransom, often monetary, is paid. It employs various methods, one of which involves encrypting files on the victim’s computer using robust encryption algorithms. Once encrypted, the ransomware displays a message demanding payment in exchange for the decryption key, which is necessary for regaining access to files. The Black Basta ransomware operates on a model known as Ransom-as-a-Service (RaaS), where cybercriminals provide a toolkit for executing ransomware attacks against both individuals and organizations.
All the information presented in this article was gathered from the Job Detail report generated by FortiSandbox. Through this exploration, readers will gain insight into robust detection mechanisms of FortiSandbox and its vital role in protecting against sophisticated malware threats.
Analysis
The purpose of this article is to demonstrate how FortiSandbox detects, mitigates, and documents the behaviors and to provide visual aid for the analyzed Black Basta ransomware (hash: bc95f228b11fa3b4e91c30d98f9f3bff). A Tree View diagram (Figure 1) illustrates the sequence of execution, outlining the chronological order in which various actions and processes occur within the ransomware. The visual representation offers valuable insights into the ransomware’s behavior, allowing to trace the flow of operations and understand how the ransomware operates.
Figure 1. Chain of execution run inside FortiSandbox
Additionally, suspicious indicators triggered during analysis were recorded (Figure 2), providing further context and aiding in the identification of potentially malicious activities. FortiSandbox classified the malware as "High Risk Ransomware" as observed in Figure 3, emphasizing its severity.
Figure 2. FortiSandbox indicators with severity ratings
Figure 3. Fortisandbox classification of the malware sample
The Black Basta ransomware implements measures to check the presence of debuggers, employing anti-debugging techniques. These techniques are methods used by malware to detect and counteract debugging attempts, making analysis or understanding the malware’s behavior challenging. Figure 4 illustrates the usages of the Windows API function IsProcessorFeaturePresent(0x17), where 0x17 corresponds to PF_FASTFAIL_AVAILABLE. This anti-debugging technique verifies whether __fastfail() is supported. If not, the program terminates. FortiSandbox triggered an indicator for this behavior as shown in Figure 5.
Figure 4. Anti debugging technique to check for __fastfail() support
Figure 5. FortiSandbox indicator for anti-virtualization or anti debugging methods
Upon infecting a system, the Black Basta ransomware employs several tactics upon infecting a system. First, it selectively encrypts files across the system, excluding the Windows directory. This encryption process appends a distinct file extension comprising of nine randomly generated alphanumeric characters to each affected file. In our analysis, this extension was identified as sah28vut5 (Figure 6), effectively denying access to the victim’s files-a common technique used by ransomware to urge payment.
Figure 6. Encrypted files with the extension "sah28vut5" appended
Subsequently, inside the %Temp% folder, Black Basta drops a file named fkdjsadasd.ico(Figure 7). This file serves as the icon representing Black Basta. The presence of the icon adds a visual cue to the victim’s system, potentially increasing the sense of urgency and intimidation.
Figure 7. Black Basta icon drops inside the %Temp% folder
Furthermore, Black Basta performs registry manipulation to ensure its icon is associated with each encrypted file. It achieves this by creating a registry key with the data set to the path of the dropped icon file:
Key: HKLM\SOFTWARE\Classes\.sah28vut5\DefaultIcon\
Data: %Temp%\fkdjsadasd.ico
the behavior is seen in a indicator captured by Fortisandbox (Figure 8). This manipulation replaces the default icons of encrypted files with the ransomware’s icon, further emphasizing its presence and the demand for payment.
Figure 8. Creation of a new registry to ensure its icon is associated with each encrypted file
Following the completion of its encryption process on system files, the Black Basta ransomware leaves its mark in each affected folder by creating a text file titled instructions_read_me.txt, as depicted in Figure 9. Within this file, the ransomware provides detailed instructions for the victim, outlining the steps necessary to fulfill the ransom demand. The content of the ransom note is illustrated in Figure 10. Additionally, a uniquely generated identification code is included, allowing the victim to securely establish their identity and proceed with the payment process.
Figure 9. Ransom note named ‘instruction_read_me.txt’ dropped
Figure 10. Ransom note content
The ransom note contains a unique URL ending .onion, accessible through a Tor browser, illustrated in Figure 11. This URL acts as a secure and anonymous connection point to the attacker, facilitating communication and ransom payment while safeguarding the anonymity of both parties. These instructions establish a direct communication channel between the attackers and the victims, guiding them through the ransom payment procedure and facilitating the decryption of their files.
Figure 11. Unique URL ending with. onion accessible through TOR browser
Like many other ransomware variants, Black Basta employs sophisticated tactics to amplify the impact of its attack. One such strategy involves the deletion of volume shadow copies, which serves as backups of files and system settings. This deliberate action effectively prevents victims from restoring their systems to a previous state, heightening the urgency of the situation. By deleting these backups, Black Basta ransomware not only denies victims the option to restore their files but intensifies the severity of the attack. The command executed to delete shadow copies from the system:
cmd.exe /c vssadmin.exe delete shadows /all /quiet
The command used to delete shadow copies form the system is captured by a FortiSandbox indicator as illustrated in Figure 12.
Figure 12. Command to delete shadow copies from system
Threat Mitigation
FortiSandbox serves as a crucial component in fortifying organizations against cyber threats by swiftly identifying and mitigating potential breaches. Through its seamless integration with Security Fabric platform products, FortiSandbox protects via Inline Scan and enhances collaborative threat intelligence sharing, enabling rapid response to emerging threats.
MITRE ATT&CK
Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0002 – Execution
|
Technique ID |
Technique Description
|
Observed Activity |
|
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
Ransomware uses cmd.exe to execute Windows utilities |
TA0007 – Discovery
|
Technique ID |
Technique Description
|
Observed Activity |
|
T1518.001 |
This file checked file system for anti-virtualization or anti-debug |
The ransomware verifies the support for ‘__failfast()” feature using the Windows API function IsProcessorFeaturePresent(0x17), with 0x17 representing PF_FASTFAIL_AVAILABLE |
TA0040 – Impact
|
Technique ID |
Technique Description
|
Observed Activity |
|
T1486 |
Data Encrypted for Impact |
Ransomware-like behaviors were detected: files(s) modified and encrypted. |
|
T1490 |
Inhibit System Recovery |
The malware deletes shadow copy files from the system to inhibit system recovery. The following method is used to delete shadow copies:
cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet |
IOC
|
Indicator Description
|
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Analyzed Executable |
bc95f228b11fa3b4e91c30d98f9f3bff |
MD5 hash |
Installation |
Black Basta ransomware |
2024-05-14 |
|
882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3 |
SHA256 hash |
||||
|
Black Basta executable detected by FSA |
497ef4779c6770e4497adf0bc71655f1 |
MD5 hash |
Installation |
Black Basta ransomware |
2024-05-14 |
|
62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087 |
SHA256 hash |
||||
|
Black Basta executable detected by FSA |
80ab6a4d16c8137308dea1dc7922bd47 |
MD5 hash |
Installation |
Black Basta ransomware |
2024-05-14 |
|
3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622a |
SHA256 hash |
||||
|
Black Basta executable detected by FSA
|
2f90cd68e4a92c5151c6e43902397a13 |
MD5 hash |
Installation |
Black Basta ransomware |
2024-05-14 |
|
acb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8f |
SHA256 hash
|
||||
|
Black Basta executable detected by FSA
|
b648b7305df49492c44a1280ec2228a0 |
MD5 hash |
Installation |
Black Basta ransomware |
2024-05-14
|
|
d73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464d |
SHA256 hash |
Summary
The detailed analysis of the Black Basta ransomware underscores the sophistication of modern malware techniques, emphasizing the need for proactive defense strategies. The robust detection capabilities of FortiSandbox efficiently identifies and document the ransomware’s malicious behaviors, this includes file encryption, registry manipulation, volume shadow copies deletion, and other suspicious activities associated with ransomware attacks. By leveraging FortiSandbox, organizations can proactively protect their networks against ransomware variants and other emerging threats.
