Black Basta, a new addition to the ransomware family, has sprung into operation this month, infecting at least 12 business entities in just a few weeks. It was first spotted in the second week of April, appearing as a Black Basta attack as the operation quickly broke out, attacking companies globally.

While there have been multiple ransom requests, each likely varying according to the nature of the attack on the victim, one victim got a demand for nearly $2 million from the Black Basta gang to unlock files and not expose data.

There is little other information about the new ransomware group, as they have not yet begun marketing their business or recruiting associates on hacker forums.

However, based on their capacity to rapidly accumulate new victims and how they negotiate, this is most likely not a new operation but a rebranding of a former top-tier ransomware group that brought along their associates.

Deciphering the encrypting nature of Black Basta

As with previous ransomware operations that target businesses, Black Basta will take corporate data and documents prior to encrypting the company's equipment.

The threat actors then demand a ransom in exchange for a decryptor in order to avoid the publication of the victim's stolen data in so-called "double-extortion" assaults.

The 'Black Basta Blog' or 'Basta News' Tor site provides a list of all victims who have not paid a ransom, and this is where the data extortion takes place. Black Basta intends to coerce each victim into paying a ransom by steadily leaking their personal information.

There are now data leak pages for eleven firms on the Black Basta data leak site. Besides, it is worth noting that the existence of a few victims remains non-existent and has not yet been included on the data breach website.

Among their most recent victims is German wind turbine manufacturer Deutsche Windtechnik, the victim of a ransomware assault on April 11th but had not yet publicized it.

Brief Analysis of Black Basta

From the few accessible samples, a quick investigation of the Black Basta ransomware has revealed the following:

When performed, the Black Basta encryptor requires administrator rights to work correctly. Once launched, the encryptor will use the following command to erase Volume Shadow Copies:

It then hijacks an already-running Windows service and uses it to execute the ransomware encryptor executable. In our experiments, the stolen Windows service was the 'Fax' service, as seen below.

Additionally, the ransomware will modify the wallpaper to display a warning that reads, "The Black Basta organization encrypts your network. Instructions are included in the readme.txt file."

The ransomware will now reboot the machine into Safe Mode with Networking, at which point the hijacked Windows service will begin automatically encrypting the device's data.

According to ransomware specialist Michael Gillespie, who thoroughly researched Black Basta's encryption process, found that it encrypts data using the ChaCha20 algorithm. The ChaCha20 encryption key is encrypted using the executable's public RSA-4096 key.

When the ransomware encrypts files, it appends the.basta extension to the file's name. Thus, test.jpg is encrypted and renamed test.jpg.basta.

Hence in order to demonstrate the custom icon attributed with the .basta extension, the ransomware will build a custom extension in the Windows Registry and associate the icon with a randomly named ICO file in the %Temp% folder. This custom icon is very similar to the icy.tools app.

Windows Registry Editor Version 5.00>

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes.basta]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes.basta\DefaultIcon] @="C:\Windows\TEMP\fkdjsadasd.ico"

The ransomware will create a readme.txt file in each folder on the encrypted device providing information about the attack as along with a URL and unique ID necessary to check in to their negotiating chat session.

'Chat Black Basta' Tor negotiation site hosts a login page and a webchat that may be used to negotiate with threat actors.

Threat actors use this screen to display a welcome message that includes a ransom demand, a warning that data will be disclosed if payment is not made in seven days, and a promise of a security report if the ransom is paid.

There is no free method to decrypt encrypted algorithms, according to Gillespie.

Ransomware Rebranding Attempts

This is most likely a rebrand of an infamous operation across the ransomware family, based on how rapidly Black Basta amassed victims and the manner of their discussions.

According to one opinion shared between security researcher MalwareHunterTeam and this author, Black Basta may be a mere rebranding attempt by the Conti ransomware campaign like any other ransomware.

Conti ransomware group has been under intense scrutiny over the last two months after the publication of a treasure trove of private communications and the ransomware's source code by a Ukrainian researcher.

As a result, it has been hypothesized that Conti will rename their organization and restart under a new name in order to elude government authorities.

While the Black Basta encryptor is somewhat different from Conti's, MalwareHunterTeam thinks their negotiating technique and website design have significant similarities.

Additionally, Black Basta disclosed the details for a brand-new victim after revealing a screenshot of the negotiation.

This "penalty" is identical to what Conti instituted in order to quell the flood of leaked negotiations on Twitter.

While these ties are thin, the Black Basta gang should be actively observed, given they have just recently begun operating.