Analytics Story: Black Basta Ransomware

Description

Leverage searches for suspicious behaviors associated with Black Basta ransomware, focusing on key indicators such as process execution, registry modifications, and network activity. Monitor for unusual file encryption patterns, particularly involving cmd.exe, powershell.exe, or wmic.exe executing with arguments linked to volume shadow copy deletion (vssadmin delete shadows). Look for registry changes disabling security features or altering startup configurations. Track high-volume file modifications in rapid succession, indicative of ransomware encryption. Additionally, unauthorized remote service executions. Cross-reference endpoint logs, EDR alerts, and SIEM detections to correlate malicious activity. Behavioral analytics and heuristic-based detections can enhance visibility into evolving tactics. Implement robust monitoring and response mechanisms to mitigate Black Basta’s impact effectively.

Why it matters

Black Basta ransomware is a highly sophisticated and fast-moving threat that has been targeting organizations worldwide, often disrupting critical operations and demanding hefty ransoms. It operates as a double extortion ransomware, encrypting victim data while simultaneously exfiltrating it to pressure victims into paying. The attack typically begins with initial access via phishing emails, compromised credentials, or exploitation of vulnerabilities in remote desktop services. Once inside, attackers escalate privileges, disable security defenses, and deploy the ransomware payload. The malware rapidly encrypts files across local and networked drives, deleting shadow copies to prevent recovery. It often abuses legitimate system tools like wmic.exe and rundll32.exe, to evade detection. Simultaneously, it establishes command-and-control (C2) connections to exfiltrate sensitive data. The impact is severe—disrupting business operations, exposing confidential information, and leaving organizations with few options for recovery. Early detection, network segmentation, and strong endpoint defenses are crucial to mitigating the risk posed by Black Basta.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Bcdedit Command Back To Normal Mode Boot Inhibit System Recovery TTP
Change To Safe Mode With Network Config Inhibit System Recovery TTP
Common Ransomware Extensions Data Destruction TTP
Common Ransomware Notes Data Destruction Hunting
Deleting Shadow Copies Inhibit System Recovery TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect Renamed RClone Automated Exfiltration Hunting
Disable Defender AntiVirus Registry Disable or Modify Tools TTP
Disable Windows Behavior Monitoring Disable or Modify Tools TTP
Modification Of Wallpaper Defacement TTP
Print Spooler Adding A Printer Driver Print Processors TTP
Print Spooler Failed to Load a Plug-in Print Processors TTP
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Spoolsv Spawning Rundll32 Print Processors TTP
Spoolsv Suspicious Loaded Modules Print Processors TTP
Spoolsv Suspicious Process Access Exploitation for Privilege Escalation TTP
Spoolsv Writing a DLL Print Processors TTP
Spoolsv Writing a DLL - Sysmon Print Processors TTP
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Windows High File Deletion Frequency Data Destruction Anomaly
Detect Zerologon via Zeek Exploit Public-Facing Application TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 26 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Printservice 316 Windows icon Windows WinEventLog WinEventLog:Microsoft-Windows-PrintService/Admin
Windows Event Log Printservice 4909 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Printservice 808 Windows icon Windows WinEventLog WinEventLog:Microsoft-Windows-PrintService/Admin
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1