Introduction
Black Basta is a ransomware operator group who operate their own ransomware as a service (RaaS) offering with the same name. Black Basta began operations in April 2022 and continue to execute targeted attacks against high profile organization in predominantly English-speaking countries including the US, UK, Australia, New Zealand and Canada i.e. members of the Five Eyes (FVEYs) intelligence alliance. The techniques employed by Black Basta operators align closely with those described in the Conti leaks.
The purpose of this article is to demonstrate how FortiEDR is able to detect and mitigate the execution of Black Basta ransomware and subsequent encryption behavior. The initial access and pre-ransomware techniques employed by Black Basta operators vary greatly between victims so this article will focus only on detections and mitigations for the malware itself. The Black Basta executable analyzed in this article is a 32-bit executable compiled in Microsoft Visual C/C++ compiler. Whilst many publicly available samples are executables like the one analyzed in this article, there are also dll implementations of this ransomware. These dll implementations are functionally the same as the executables with the main differences being in the process chain associated with the execution of the sample and some minor cosmetic changes to the dropped logo.
Analysis
FortiEDR employs machine learning and online sandboxing which allows it to detect new variants and new families of malware, including ransomware. As well as these more advanced detections, FortiEDR also includes integrations with FortiGuard threat intelligence and AV engines. The combination of these capabilities allows FortiEDR to detect execution of Black Basta ransomware before it can execute. This detection results in a security event as shown below in Figure 1.
Figure 1. FortiEDR security event related to the pre-execution detection of Black Basta ransomware (‘ae7.exe’ in this example).
Like many other ransomware families Black Basta attempts to delete volume shadow copies on victim endpoints prior to beginning file encryption. This corresponds to T1490 – Inhibit System Recovery and prevents victims from restoring encrypted file systems to a known good state stored in volume shadow copies. Black Basta implements this technique by spawning a cmd.exe process with the following parameters:
/c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
This command will spawn an instance of vssadmin to delete all shadow copies. The ‘/all’ parameter selects all available shadow copies and the ‘/quiet’ parameter prevents additional console output as the application executes.
FortiEDR detects the vssadmin tool interfacing with the Volume Shadow Copy service and creates a security event triggered by the ‘Suspicious Application’ rule within the Ransomware Prevention security policy. The related security event and associated event graph can be seen in Figure 2 below.
Figure 2. FortiEDR security event related to detection of service access associated with Black Basta attempts to delete volume shadow copies using the vssadmin utility.
Once volume shadow copies have been deleted the Black Basta ransomware begins the file encryption process. Black Basta performs its encryption through the overwrite method. This method involves reading the contents of a target file, then overwriting the existing content with encrypted content then renaming the encrypted file to include the ransomware file extension. In the analyzed Black Basta sample the appended file extension is ‘.basta’. This encryption behavior triggers FortiEDR’s ‘File Encryptor – Suspicious File Modification’ rule in the Ransomware Prevention security policy. An example of this File Encryptor event can be seen below in Figure 3.
Figure 3. FortiEDR security event associated with file encryption behavior of Black Basta ransomware.
As can be expected this encryption method results in a large number of file read, file write and file rename operations. These file operations can be observed in FortiEDR threat hunting data shown below in Figure 4 in addition to the security event shown above in Figure 3.
Figure 4. FortiEDR Threat Hunting data associated with Black Basta file encryption activity.
Following encryption of files on the target endpoint, the Black Basta ransomware will create an image that is set as the desktop background. The image includes a ransom note style message for the victim referring them to a ransom note that is written to all directories where a file was encrypted. The name of the ransom note for Black Basta ransomware is ‘readme.txt’. As well as this, the ransomware drops an icon file and modifies the registry so that all files with the ‘.basta’ extension have the new icon. This change to the desktop background creates a ‘Modify OS Settings’ event triggered by the ‘Unconfirmed Executable’ rule in the Ransomware Prevention security policy. An example of this event from our analysis is shown below in Figure 5.
Figure 5. FortiEDR security event associated with Black Basta altering the registry to display their icon for the ‘.basta’ file extension.
A screenshot of the changed background that is set after successful ransomware execution is shown below in Figure 6. This screenshot was taken following our test analysis. Note the altered background and the encrypted files (file extension ‘.basta’) with the Black Basta logo.
Figure 6. Sample desktop following Black Basta encryption showing the modified desktop background and Black Basta logo.
Conclusion
FortiEDR detects and mitigates the execution of current Black Basta ransomware and its subsequent file encryption behaviors. This detection and mitigation is based on machine learning and sandbox integrations, FortiGuard threat intelligence and behavioral analysis. This layered approach to malicious behavior detection will prevent future iterations of Black Basta from being effective and ensure the longevity of FortiEDR protections. Note that during the analysis outlined in this article FortiEDR was configured in ‘Log Only’ mode to demonstrate detection capabilities against all stages of Black Basta ransomware execution. In ‘Prevention Mode’ all detected activity will be blocked by associated policies.
In addition to these protections FortiEDR threat hunting telemetry provides additional opportunities to detect suspected encryption activity, including opportunities to detect pre-encryption techniques, like the volume shadow copy deletion behavior observed in this sample. FortiEDR threat hunting queries are included below along with IOCs and MITRE ATT&CK mappings and observables.
Threat Hunting
The following threat hunting query will return FortiEDR process creation events where cmd.exe is executed with command line arguments which delete shadow copy of Windows operating system.
Type: ("Process Creation") AND Target.Process.File.Name:("cmd.exe") AND Target.Process.CommandLine:(" delete shadows \/all \/quiet")
The following threat hunting query will return FortiEDR File Rename events where a file is renamed to include the ‘.basta’ file extension. If this activity is observed it is likely that the Black Basta ransomware has executed successfully, this query has been included for completeness and should not be relied on for initial detection.
Type:"File Rename" AND Target.File.AdditionalData.TargetPath:("*.basta")
The following threat hunting query will return FortiEDR File Create events where a created filename matches the filename of the icon file ‘’ created by Black Basta ransomware and set as the default icon for ‘.basta’ files. The filename of the dropped ico file may change between ransomware variants. If this activity is observed it is likely that the Black Basta ransomware has executed successfully, this query has been included for completeness and should not be relied on for initial detection.
Type:"File Create" AND Target.File.Name:("fkdjsadasd.ico")
The following threat hunting query will return FortiEDR File Create events where a created filename matches the filename of the jpg file ‘’ created by Black Basta ransomware and set as the desktop background. The filename of the dropped jpg file may change between ransomware variants. If this activity is observed it is likely that the Black Basta ransomware has executed successfully, this query has been included for completeness and should not be relied on for initial detection.
Type:"File Create" AND Target.File.Name:("dlaksjdoiwq.jpg")
MITRE ATT&CK Mapping
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1059.003 |
Windows Command Shell |
Black Basta spawns a cmd.exe child process to execute vssadmin.exe in order to delete available volume shadow copies. |
TA0007 - Discovery
|
Technique ID |
Technique Description |
Observed Activity |
|
T1083 |
File and Directory Discovery |
Retrieve a list of files and folders for encryption. This listing is performed directly by the Black Basta ransomware executable. |
TA0040 - Impact
|
Technique ID |
Technique Description |
Observed Activity |
|
T1486 |
Data Encrypted for Impact |
1) Encrypts user files. Encryption is performed by the main Black Basta ransomware process. Files are overwritten with encrypted content then renamed to include ‘.basta’ file extension. 3) Creates a jpg file ‘dlaksjdoiwq.jpg’ in the victim user’s temp directory then modifies registry to set desktop background to the new image. Image notifies victims they have been a target of ransomware and points them at the previously created ransom note. 4) Creates a new icon file ‘fkdjsadasd.ico’ in the victim users temp directory and modifies the registry to set it as the default icon for files with the ‘.basta’ file extension. |
|
T1490 |
Inhibit System Recovery |
Black Basta ransomware deletes volume shadow copies via the use of the vssadmin.exe utility to prevent victims from rebuilding affected endpoint from known good shadow copies. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Black Basta ransomware executable |
a996ccd0d58125bf299e89f4c03ff37afdab33fc |
SHA1 Hash |
Impact |
Black Basta ransomware executable analyzed in above article |
2022-04-28 |
|
Black Basta ransomware executable |
b43ad562e01682ea565f4bc1d8833944411a4a5d |
SHA1 Hash |
Impact |
Black Basta ransomware executable |
2023-05-15 |
|
Black Basta ransomware executable |
d9f9d77ced87f3f5962dd1c14b06acdeb202e3a1 |
SHA1 Hash |
Impact |
Black Basta ransomware executable |
2023-06-20 |
