Black Basta (AKA BlackBasta) is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that first emerged in early 2022 and immediately became one of the most active RaaS threat actors in the world, racking up 19 prominent enterprise victims and more than 100 confirmed victims in its first few months of operation.
The group’s ransom tactics use a double extortion tactic, encrypting their victim’s critical data and vital servers and threatening to publish sensitive data on the group’s public leak site.
It is assumed that BlackBasta’s core membership to have spawned from the defunct Conti threat actor group due to similarities in their approach to malware development, leak sites, and communications for negotiation, payment, and data recovery.
On May 7th, 2023, the Swiss multinational corporation ABB, fell victim to a ransomware attack conducted by the Black Basta ransomware gang, a cybercrime group that surfaced in April 2022.
The ransomware attack has affected the company’s Windows Active Directory, affecting hundreds of devices.
The security incident directly affected certain locations and systems.
In response to the attack, ABB terminated VPN connections with its customers to prevent the spread of the ransomware to other networks.
BlackBasta Ransomware Malware
The ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The ransomware also attempts to delete shadow copies and other backups of files using vssadmin.exe, a command-line tool that manages Volume Shadow Copy Service (VSS), which captures and copies stable images for backups on running systems.
Link to the Black Basta Negotiation Site: hxxps://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion