Black Basta ransomware: Attacks deploy custom EDR evasion tools tied to FIN7 threat actor

Black Basta ransomware emerged in April 2022 and went on a spree, breaching over 90 organisations by September 2022. The rapidity and volume of attacks prove that the actors behind Black Basta are well-organised and well-resourced, and yet there have been no indications of Black Basta attempting to recruit affiliates or advertising as a RaaS on the usual darknet forums or crimeware marketplaces. This has led to much speculation about the origin, identity and operation of the Black Basta ransomware group.

SentinelLabs’ research indicates that the individuals behind Black Basta ransomware develop and maintain their own toolkit and either exclude affiliates or only collaborate with a limited and trusted set of affiliates, in similar ways to other ‘private’ ransomware groups such as Conti, TA505, and Evilcorp.

Executive Summary

  • SentinelLabs assesses it is highly likely the Black Basta ransomware operation has ties with FIN7
  • SentinelLabs assess it is likely the developer of these EDR evasion tools is, or was, a developer for FIN7
  • Black Basta maintains and deploys custom tools, including EDR evasion tools
  • Black Basta attacks use a uniquely obfuscated version of ADFind and exploit PrintNightmare, ZeroLogon and NoPac for privilege escalation
  • Black Basta operators have a number of Remote Admin Tools (RAT) tools in their arsenal. The threat actor has been observed dropping a self-extracting archive containing all the files needed to run the Netsupport Manager application, staged in the ‘C:\temp’ folder with the name ‘Svvhost.exe’
  • The Black Basta actor has been seen using different methods for lateral movement, deploying different batch scripts through psexec towards different machines in order to automate process and services termination and to impair defences. Ransomware has also been deployed through a multitude of machines via psexec.
  • In order to impair the host’s defences prior to dropping the locker payload, Black Basta targets installed security solutions with specific batch scripts downloaded into the Windows directory.

To read the full report, click this link.