On May 10, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.

This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.

AttackIQ has previously emulated the behaviors associated with the Black Basta ransomware in January 2023, through the release of a full-scale attack graph that focused on the eCrime malware known as QakBot, which culminated in the deployment of this ransomware strain.

Black Basta is a ransomware variant developed and operated by the group of the same name under the Ransomware as a Service (RaaS) business model that has been active since April 2022. However, evidence suggests that it has been in development since February 2022.

Affiliates of the ransomware have been actively deploying it and extorting organizations since its emergence. The same have been observed targeting organizations in the U.S. with a particular focus on the Construction and Manufacturing industries. Additionally, they have targeted the Professional Services, Financial Services, Healthcare & Life Sciences, and Energy, Resources and Utilities sectors.

The ransomware uses the double extension technique, in which in addition to encrypting the information on the target organizations’ systems and demanding a ransom to make decryption possible, it also exfiltrates sensitive information which is published on a Dedicated Leak Site (DLS) if the organization chooses not to pay the ransom.

AttackIQ has released a new attack graph that emulates the various Tactics, Techniques and Procedures (TTPs) exhibited by Black Basta ransomware during recent activities with the aim of helping customers validate their security controls and their ability to defend against this worldwide threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against the behaviors exhibited by a threat that continues to conduct worldwide ransomware activities.
• Assess their security posture against activities focused on both encryption and destruction of sensitive information.
• Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups that are currently focused on ransomware activities.

[CISA AA24-131A] #StopRansomware: Black Basta Ransomware

This attack graph emulates the various Tactics, Techniques and Procedures (TTPs) exhibited by Black Basta ransomware during its most prominent activities.

This emulation is based on the Cybersecurity Advisory (CSA) released by CISA and supported by the reports published by Avertium on June 1, 2022, NCC Group on June 6, 2022, and Palo Alto Networks on August 25, 2022.

This stage focuses on obtaining system information by verifying the presence of a process debugger, collecting the computer name, and discovering additional local accounts.

Subsequently, the attacker will attempt to acquire persistence through the creation of a local account named admin which is then immediately added to the local Administrators group.

Virtualization/Sandbox Evasion (T1497): This scenario will call the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.

System Information Discovery (T1082): This scenario will call the GetComputerNameA (Kernel32) Windows API to enumerate the computer name.

Account Discovery: Local Account (T1087.001): The native net user command is executed to get a list of local accounts.

Create Account: Local Account (T1136.001): This scenario will create a new account with the name admin using net user.

Valid Accounts: Local Accounts (T1078.003): This scenario will attempt to add a local user to a local Administrators group using the net localgroup command.

This stage focuses on disabling security settings to traverse laterally to additional systems on the network. For this purpose, remote desktop connections are enabled via the registry, the system firewall is modified via netsh and the registry is used once again to disable the Network Layer Authentication (NLA).

Finally, lateral movement to additional systems is performed using the Remote Desktop Protocol (RDP).

Impair Defenses: Disable or Modify Tools (T1562.001): The registry key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections is set to 0 that will enable remote access to the system using Remote Desktop.

Impair Defenses: Disable or Modify System Firewall (T1562.004): This scenario creates a new firewall rule using the netsh advfirewall utility to open local port 3389 for inbound access.

Impair Defenses: Disable or Modify Tools (T1562.001): The registry key HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication is set to 0 that will disable Network Layer Authentication (NLA).

Remote Desktop Protocol (T1021.001): This scenario will attempt to move laterally to another previously discovered host through Remote Desktop Protocol (RDP).

This stage focuses on disabling the Anti Spyware and Real-time Monitoring security settings on Windows Defender via PowerShell.

Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses PowerShell to set the DisableAntiSpyware registry key that will prevent Microsoft Defender from running after the next reboot.

Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses the Set-MpPreference cmdlet to modify the DisableRealtimeMonitoring in Microsoft Defender.

This stage begins with the deployment of Black Basta ransomware and continues immediately with the deletion of Volume Shadow Copies using vssadmin.exe.

Next, a service called “FAX” is created and forced to initialize in SafeBoot through a registry modification. Subsequently, Black Basta performs boot mode detection using the GetSystemMetrics API.

Finally, Black Basta searches for files of interest and culminates with their encryption using RSA-4096 + ChaCha20.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Inhibit System Recovery (T1490): This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.

Impair Defenses: Safe Mode Boot (T1562.009): This scenario will attempt, through the registry, to force the initialization of a service if the system is started in SafeBoot mode.

System Information Discovery (T1082): This scenario executes the GetSystemMetrics Windows API to discover the system’s boot configuration status.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithm used by Black Basta ransomware.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Command and Scripting Interpreter: PowerShell (T1059.001):

Adversaries may utilize PowerShell scripts and built-in PowerShell cmdlets to complete their discovery objectives.

2a. Detection

Enabling PowerShell script logging is critical to being able to track how PowerShell is being used in your environment. Many actors will obfuscate their code to make it more difficult to detect.

Resources for Enabling PowerShell Logging:

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations:

3. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

3a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the recent activities carried out by Black Basta ransomware affiliates. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a widely distributed and dangerous threat.

AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.