Blog
RevealX vs. Black Basta Ransomware
ExtraHop
July 15, 2024
Black Basta ransomware became prevalent beginning in April 2022 and helped popularize the double extortion technique among ransomware actors. According to CISA, Black Basta affiliates have targeted more than 500 organizations in critical infrastructure and other sectors, primarily in the U.S., but also in Europe and Australia.
Black Basta ransomware has hit the healthcare industry particularly hard. In May, the FBI, CISA, the Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory warning the healthcare sector of active Black Basta ransomware threats. The advisory provided signatures for Black Basta ransomware. An alert from the Health Information and Analysis Center, also released in May, noted that Black Basta affiliates use spear phishing and compromised credentials purchased from initial access brokers to get inside organizations. These two initial access techniques are worth noting because organizations’ perimeter security controls don’t provide an adequate defense against them.
Even endpoint detection and response (EDR) controls can be subverted by Black Basta ransomware. For example, Black Basta is known to abuse Windows safe mode (T1562.009 in the MITRE ATT&CK framework) in order to disable EDR controls. When you can’t depend on your perimeter or EDR controls to stop Black Basta, your only fallback is to use network-based detection techniques to catch these actors in the mid-game, before they achieve their ultimate goal of encrypting your data, as they execute commands, files, and malicious payloads, evade defenses, establish persistence, enumerate files, and move laterally.
Here are a few of the network-based techniques that RevealX uses to detect Black Basta ransomware at multiple stages of the attack cycle.
Tactic: Execution
T1059: Command and Scripting Interpreter
Black Basta affiliates have been observed abusing command and script interpreters to execute commands, scripts, and binaries. RevealX detects Command and Scripting Interpreter activity with the Unusual Interactive Traffic from an External Endpoint detector, which identifies network traffic associated with command and script interpreters based on behavioral heuristics. This detection system also aids in identifying distributed denial of service (DDoS) attacks, port scanning, man-in-the-middle attacks, malware/spyware injections, and suspicious botnet-generated traffic, all of which can provide early indications of malicious activity aiming to exploit system vulnerabilities, disrupt services, or steal sensitive data.
T1204: User Execution
Black Basta affiliates may rely upon specific actions by a user to gain execution. RevealX detects attempts by threat actors to access or manipulate network file system data on remote servers, execute unusual HTML applications, download suspicious executable files or scripts, open an unusually large archive file, or establish a Sliver Command & Control connection. The detection analytic monitors and raises alerts for requests to external NFS servers, downloads of HTA, executable, and script files from untrustworthy sources, archive files from suspicious sources, and unapproved connections to Sliver C&C servers, signifying potential unauthorized access, data breach, or malicious software installation.
T1047: Windows Management Instrumentation
Black Basta affiliates may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. RevealX detects the invocation of new or unusual Windows Management Instrumentation (WMI) methods that may signify malicious activity such as persistence, lateral movement, payload execution, defense evasion, and information gathering. This detection analytic provides coverage by identifying the exploitation of WMI for activities including persistent attacks that use WMI to stay resident within the host machine, lateral network movements that execute commands remotely, payload delivery through embedded WMI objects, evasion of traditional defense mechanisms, and system information gathering.
Tactic: Defense Evasion
T1112: Modify Registry
Black Basta affiliates may interact with the Windows registry to hide configuration information within registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. RevealX detects remote registry activity with the Windows Registry Enumeration, Remote Registry Modification, and New Windows Registry Modification Activity detectors. These detectors use analytics to scrutinize Windows registry enumeration and identify any abnormal access or exploitations indicative of a potential cyberattack. RevealX also monitors for signs of remote and new registry modifications, which may signify advanced persistent threats or attempts to establish persistent access, elevate privileges, or execute malicious software, thus providing security coverage against these types of attacks.
Tactic: Discovery
T1083: File and Directory Discovery
Black Basta affiliates enumerate files and directories or search in specific locations of a host or network share for certain information within a file system. RevealX detects File and Directory enumeration by actively monitoring the frequencies and patterns of web server queries, promptly identifying and alerting on any attempts to map web server structures that indicate potential intrusion. It also provides coverage for the detection of unconventional internal network connections, tracking instances of anomalous activities within the network, such as irregular access times, use of unusual protocols, and aberrant user behaviors, which may signify an advanced persistent threat attempting to spread malware, exploit vulnerabilities, or laterally move within the network.
T1018: Remote System Discovery
Black Basta affiliates may attempt to enumerate information about remote systems that can be used for later parts of the attack chain, such as lateral movement. RevealX detects the enumeration of remote systems over protocols such as DNS and LDAP using both signature-based and behavioral heuristics. It also identifies malicious Domain Controller Enumeration efforts that aim to gain higher access levels, breach network security, and formulate more strategic and targeted attacks.
T1082: System Information Discovery
Black Basta affiliates may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture, of hosts they’re trying to compromise. RevealX detects the enumeration of system information by monitoring the task scheduling utility in systems to catch suspicious activity that suggests the attacker is listing, exploiting, or manipulating scheduled tasks to achieve persistence or introduce malicious code. It also identifies New WMI Enumeration Query attacks where the adversaries might use WMI to execute code, create processes, or query system information, thereby revealing system vulnerabilities or details about configuration that can be misused for detrimental purposes.
Tactic: Impact
T1486: Data Encrypted for Impact
RevealX detects and prevents the manipulation, control, and encryption of a user's sensitive data through a combination of tactics, including spotting ransomware activity, suspicious SMB/CIFS file share access, Kaseya VSA activity, REvil suspicious connections, and confirmed OnePercent Group Ransomware IOCs. This detection analytic offers multi-layered security against T1486 by identifying and mitigating malicious threats from unauthorized cybercriminals exploiting vulnerabilities in data management systems, monitoring unauthorized access to SMB/CIFS, and tracking and neutralizing activities of organized ransomware groups like REvil, OnePercent Group, and Black Basta affiliates.