Black Basta Ransomware Blitz: Over 500 Entities Hit Across Key Sectors

Beware the Black Basta ransomware, wreaking havoc without a price tag—contact us via .onion for the “pleasure” of negotiating your data’s return. It’s the cyber shakedown of the century, and they’re not even polite enough to tell you what it’ll cost upfront!

Hot Take:

Remember when you got grounded for spilling milk? Well, Black Basta is spilling more than milk, and grounding won’t cut it! This ransomware-as-a-service rockstar has been partying hard across sectors, leaving encrypted chaos and stolen data like it’s confetti. They’re not your average cybercriminals; they’re the cool kind – the type that doesn’t tell you how much money they want but leaves a mysterious code and a .onion breadcrumb trail. And guess what? They might just be the popular kids from FIN7 in a new goth phase. Ransomware’s got talent, and Black Basta could be singing the next chart-topper in cyber threats!

Key Points:

  • Black Basta, the ransomware equivalent of a bad boy band, has targeted over 500 entities since April 2022, using QakBot and double-extortion tactics.
  • Their ransom notes are less “note” and more “mystery box”, providing codes instead of demands. It’s like cyber-extortion with a side of escape room fun!
  • These guys have a tool belt Batman would envy, with gadgets for network scanning, lateral movement, privilege escalation, and data exfiltration.
  • They might be sharing a treehouse with FIN7, a group known for its previous high scores in the cybercrime leaderboard.
  • Despite their success, the ransomware scene overall is seeing a decline, with victims holding tight to their wallets, and payments dropping faster than my hopes for a diet.
Title: Netlogon Elevation of Privilege Vulnerability
Cve id: CVE-2020-1472
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 01/18/2024
Cve description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

Title: Active Directory Domain Services Elevation of Privilege Vulnerability
Cve id: CVE-2021-42287
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 01/18/2024
Cve description: Active Directory Domain Services Elevation of Privilege Vulnerability

Title: Windows Print Spooler Remote Code Execution Vulnerability
Cve id: CVE-2021-34527
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 12/28/2023
Cve description: <p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.</p> <p>In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (<strong>Note</strong>: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):</p> <ul> <li>HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint</li> <li>NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)</li> <li>UpdatePromptSettings = 0 (DWORD) or not defined (default setting)</li> </ul> <p><strong>Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.</strong></p> <p>UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also <a href="https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7">KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates</a>.</p> <p>Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.</p>

Title: Active Directory Domain Services Elevation of Privilege Vulnerability
Cve id: CVE-2021-42278
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 01/18/2024
Cve description: Active Directory Domain Services Elevation of Privilege Vulnerability

Cve id: CVE-2023-48365
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 11/15/2023
Cve description: Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.

Need to know more?

The Ransomware Remix

Black Basta is the stage name for the latest ransomware headliner, and it's not just a one-hit-wonder. With over 500 hits since last year, they're remixing the game by encrypting systems and exfiltrating data, making sure they leave no stone unturned—or unencrypted.

Notes from the Underground

Unique among ransomware divas, Black Basta's ransom notes don't talk cash upfront. Instead, they give you a code and tell you to chat on the dark web. It's like getting an invite to a secret club, but the membership fees are... unpredictable.

Gadgetry Galore

Black Basta's toolset reads like a cyber-spy thriller shopping list. From SoftPerfect to Cobalt Strike, and a tool called Backstab that's basically the 'off' switch for EDR software, they're equipped to sneak, peak, and wreak havoc across networks.

Old Friends, New Tricks

There's gossip in the cyber underworld that Black Basta might be FIN7 wearing a new mask. Like a classic band reunion, they're back with a new genre: ransomware. And like any good reunion tour, they've still got the hits but with a fresh twist.

The Plot Thickens

Intrigue is afoot with the CACTUS ransomware campaign exploiting Qlik Sense software vulnerabilities and leaving thousands of servers at risk. Black Basta might be stealing the spotlight, but there's a whole festival of new ransomware acts ready to play the main stage.

The Decline of the Ransomware Empire

Despite Black Basta's rise, the ransomware empire is seeing a decline, with activities dropping by 18% in Q1 2024. Victims are giving a cold shoulder to ransom demands, and payments are shrinking faster than the list of my New Year's resolutions.

The Cost of Doing Business

Victims might be playing hardball, with a record low number choosing to pay up. The average ransom payment took a nosedive too. Yet, the Sophos report hints at a steep hike in the median payment, because just when you think it can't get worse, ransomware says, "Hold my beer."

High Demand, Low Supply

Despite the high stakes, less than a quarter of victims match the ransom demand, with many paying less—or in a twist of fate, even more. It's like a bizarre auction where you're not sure if you're buying an antique or just someone's old junk.

Tags: Black Basta ransomware., critical infrastructure security, Cyber Threat Intelligence, Double-Extortion Model, RaaS operations, Ransomware encryption algorithms, Ransomware payment trends