Within months of its first public appearance, Black Basta left a significant mark in the realm of ransomware – tallying up 19 high-profile enterprise victims in the course of 100+ confirmed targets. A ransomware-as-a-service (RaaS) group responsible for 7.2% of attacks in 2023, Black Basta first emerged in early 2022.
Unlike many of its counterparts, Black Basta adopts a surgical approach, meticulously targeting organizations across the US, Japan, Canada, the United Kingdom, Australia, and New Zealand. It’s worth noting that the group seems to give particular focus to the US and UK.
Their modus operandi? Employing a double extortion tactic – encrypting critical data (and servers) while threatening to publicly leak sensitive information.
Based on various analyses, they are actively targeting healthcare, manufacturing, critical infrastructure, and financial/legal services. However, given that Black Basta operates on a RaaS model, it would be naive to expect them to limit themselves to only those targets.
Notably, the American Dental Association fell victim to a large Black Basta attack, with its stolen data later appearing on the group’s leak site. Another notable victim was Southern Water. According to Elliptic, a British pioneer in the use of blockchain analytics for financial crime compliance, Black Basta has received at least $107 million in ransom payments since early 2022, spread across 90+ victims. The largest ransom payment received was $9 million, with at least 18 payouts exceeding $1 million.
A paper written in May 2024 by the Joint Cybersecurity Advisory and co-authored by the FBI, CISA, the HHS, and the MS-ISAC highlights the sophistication of Black Basta and how it’s aligned to the MITRE Att&ck Framework. The paper also offers some technical details on how to prevent an attack – focusing primarily on DNS, IP addresses, file hashes and defensive tooling.
What’s missing in that paper and so many other analyses however is information on the tools and methodologies that Black Basta uses and how they work. Those all important but often ignored details of their MO are vital.
More often than not, it’s a simple matter of exploiting misconfigured services and errant privileges. Tools like Qakbottrojan are used to walk straight through doors left open by unpatched (or unpatchable) vulnerabilities, poor PowerShell control in the estate, unmanaged distribution of file shares, and simple Active Directory composition errors.
The PrintNightmare vulnerability, for example, provides a favorite attack path for the organization. Based on the print spooler vulnerability, PrintNightmare is still effectively a zero-day, despite the fact that Microsoft’s released multiple patches over the years. The reason? Because all those patches disable the spooler service; a service that many still use and need.
And even when businesses do not need the service, it can be difficult for them to clearly recognize and confirm as much. Most would rather swallow the risk to their security and avoid the guaranteed disruption to their business.
Black Basta also exhibits considerable ambition, developing some of it’s own tooling. To encrypt VMware ESXi virtual machines, the group developed a Linux build of its ransomware.
While Black Basta takes a diverse, opportunities, and somewhat sophisticated approach to initial infiltration – requiring it to bypass and evade technologies like Antivirus, EDR, IPS, and Sandboxing – its approach to spreading across the network is typically much simpler. It exploits the presence of SMB and RDP protocols, their configuration (or rather misconfigurations), and poor cyber hygiene.
The reason behind Black Basta's use of these simplistic lateral movement techniques is clear: they are effective.
The reason these misconfigurations persist are many. But here are the basics:
On the face of it, the logic checks out. But in truth, it’s deceptive. According to the BBC, 82% of British organizations opt to pay the ransom, yet a mere 4% of them managed to successfully recover their data.
Worse still, there's the danger that once an organization falls victim to such attacks, it becomes a prime target for subsequent assaults. Sometimes by other threat actors and sometimes by those they already paid.
So, what are the costs of manually addressing misconfigurations? Take, for example, a project simply to contain the breach of an actor like Black Basta on a network with 10,000 devices.
Manually bringing protocols such as SMB and RDP under control in a network of 10,000 devices involves several steps, each with associated costs, staffing requirements, timeframes, and business risks.
Such a project performed manually could take anything from 9 months to 18 months to complete: clearly the opportunity costs alone would be enormous – as key staff is pulled away from other initiatives and valuable labor hours are poured into a project with no guarantee of success. And this is just for two pretty standard protocols. Not to mention the myriad other misconfigurations that litter a network.
The basic formula is simple:
Costs of ransom
Costs of remediation
If you get a value greater than 1, you should pursue remediation. If you get a value less than 1, you should sit tight.
The problem is that while the cost drivers are relatively straightforward, their probability weights are always going to be speculative. Which is why conducting a proper cross-benefit analysis is not so straightforward.
But what if you could pursue remediation in a highly efficient manner, with a very clear and upfront view of the costs?
As Black Basta navigates from one endpoint to another via SMB, in some cases it leverages PSexec in tandem with Administrative Privileges. Asserting control over SMB within the organizational framework is therefore paramount. Yet manual intervention poses significant challenges.
Enter Remedio. Leveraging unparalleled visibility and push-button remediation, Remedio meticulously scans SMB usage across devices, spanning Windows desktops, workstations and servers, along with Linux and MacOS devices. This analysis goes beyond share and protocol logging to audit inherently insecure configurations.
Remedio provides actionable insights, mapping active share usage patterns and making it possible to quickly and easily deactivate redundant shares – streamlining estate audits and shrinking the attack surface.
Remedio extends its prowess beyond SMB to encompass RDP, the other primary Black Basta vector of proliferation – offering the organization key oversight and a new layer of control over its usage landscape. With this information, businesses can pinpoint active RDP utilization, identify areas where it remains inactive, and determine where its deactivation is warranted.
This comprehensive approach empowers organizations to optimize their RDP deployment strategies, ensuring both security and operational efficiency. This empowers Infrastructure and Security teams to remove guesswork from the equation and rapidly advance their risk reduction efforts.
Having a handle on user credentials is of paramount importance. However, getting that handle can be very challenging. Remedio monitors dozens of metrics to ensure that credentials aren’t being created or used insecurely – from things like password length and expiry, to UAC enablement, service account security, and beyond.
As organizations and their networks live and grow organically, many things happen:
It can leave a wealth of misconfigurations sprawled across the network that remain unseen and ignored for years.
Remedio provides a solution that not only brings them into focus, but also facilitates their immediate and frictionless remediation.
As mentioned, if Black Basta can’t exploit misconfigurations, it may move on to more sophisticated methods – leveraging commercially available tools like Cobalt Strike.
While Cobalt Strike is originally intended for legitimate penetration testing purposes, its versatility also makes it a prime choice for malicious actors.
Cobalt Strike's extensive features span a wide array of areas, making it a potent tool for attackers. But many of the risks presented can be mitigated with the help of smart automation that cleans the device estate.
Here’s some of the vectors Black Basta might look to exploit using Cobalt Strike and how a tool like Remedio can be used to help.
Goal and Vector |
Defense |
Credential Theft (Pass-the-Hash, Pass-the-Ticket, Golden Ticket and Silver Ticket) |
Two privilege abuse methods used by Cobalt Strike are Pass-the-Hash (PtH) and Pass-the-ticket (PtT) PtH is centered on NTLM and its weak hashes – reusing them to compromise systems. PtT is similar, but focuses on Kerberos, using a captured Kerberos ticket (either from RAM, Network sniffing, or another compromised system). Remedio provides almost instant visibility into where and how NTLM is being used on the network. It also allows for remediation-at-a-click. Golden Ticket and Silver Ticket creation rely on poor management of the Kerberos system. |
Domain Enumeration |
SMB Spider is a mechanism used by Cobalt Strike for enumerating file and print services, uploading and downloading files, credential theft, data exfiltration, and using hosts to pivot traffic through the network. Remedio gives you a handle on SMB usage within an organization and singles out SMBv1 as particularly problematic. Shutting that vector down will greatly hamper exploit efforts, while improving overall security. |
Domain Persistence |
Remedio monitors group policies and access controls to remove unnecessary privileges, monitoring Active Directory for changes and unusual activities. The system provides visibility into the use of Built-in Administrator accounts (typically disabled), lists recent GPO changes, tracks Domain Admin Group membership, and audits SID accounts. Remedio also provides dozens of metrics to check AD, Intune, and GPO configurations. |
In the fast-paced world of cybersecurity, Black Basta emerges as a formidable adversary, utilizing sophisticated tactics to target organizations globally. Employing a double extortion strategy, this Ransomware-as-a-Service entity has made a significant and very negative impact across various sectors worldwide.
There are no silver bullets when it comes to ransomware. Despite valiant human efforts and support from EDR and perimeter security technologies, the threat of ransomware persists.
Manual techniques at cleansing the network of misconfigurations are not fit for purpose, being time-consuming and expensive, while not particularly effective. Remedio provides an elegant alternative and an effective solution – taking quick stock of security gaps and offering immediate remediation.
In short, the system acts as force-multiplier for Security and Infrastructure teams hoping to prevent ransomware attacks.