Rewterz Threat Alert – Bad Rabbit Ransomware – Active IOCs
July 5, 2022Rewterz Threat Alert – The Raspberry Robin Worm Infected Hundreds Of Windows Networks – Active IOCs
July 5, 2022Rewterz Threat Alert – Bad Rabbit Ransomware – Active IOCs
July 5, 2022Rewterz Threat Alert – The Raspberry Robin Worm Infected Hundreds Of Windows Networks – Active IOCs
July 5, 2022Severity
High
Analysis Summary
The Black Basta ransomware group has added a new capability that encrypts VMware ESXi virtual machines (VMs) on Linux servers. Black Basta is a new ransomware that encrypts data stored on clients’ hard drives. It has been active since April 2022 and employs a double-extortion attack technique.
Recently, researchers reported a new strain of the Black Basta ransomware that supports encryption of VMWare ESXi servers. They have been reporting on similar encryptors issued by a number of different groups, including LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive, among others.
Black Basta’s ransomware binary, like other Linux encryptors, will search for the /vmfs/volumes where virtual machines are kept on the compromised ESXi servers (if no such folders are found, the ransomware exits).
To encrypt the data, the ransomware uses the ChaCha20 algorithm. It also uses multithreading to make use of many processors and accelerate the encryption operation. The ransomware appends the .basta extension to encrypted filenames and creates readme.txt ransom notes in each folder.
This new ransomware group’s attacks have improved immensely. It was recently discovered leveraging the banking trojan QakBot and the PrintNightmare vulnerability (CVE-2021-34527) to propagate laterally throughout the target network and perform privileged file actions.
Impact
- File Encryption
Indicators of Compromise
MD5
- 0041695c1309ec4fbd5fca0e8a4fd824
- 8f24a209d47eae18b6f6b5b3b5806982
- 5df3bf0234f0c2af2c470f98243c788f
SHA-256
- 72a48f8592d89eb53a18821a54fd791298fcc0b3fc6bf9397fd71498527e7c0e
- c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166
- c4683097a2615252eeddab06c54872efb14c2ee2da8997b1c73844e582081a79
SHA-1
- bf0df8dbc7f30408029b4d309d1992bd985672fc
- c9dfcb0ea4efd3920c8f89d9ba0ad6ce0df3dbd6
- 7474a3c2c44e612387d1ff176179187ddc1b9bfc
Remediation
- Maintain cyber hygiene by updating your anti-virus software and implement patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have
- access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them
- regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open ” links and attachments received from unknown sources/senders.
- Block all threat indicators at your respective controls.
- Search for Indicator of compromise (IOCs) in your environment utilizing your respective security controls