Rewterz Threat Advisory – Intel Quartus Prime Pro and Intel Quartus Prime Standard Vulnerabilities
November 11, 2022Rewterz Threat Advisory – Multiple Intel Server Board Vulnerabilities
November 11, 2022Rewterz Threat Advisory – Intel Quartus Prime Pro and Intel Quartus Prime Standard Vulnerabilities
November 11, 2022Rewterz Threat Advisory – Multiple Intel Server Board Vulnerabilities
November 11, 2022Severity
High
Analysis Summary
Black Basta is a new ransomware that encrypts data stored on clients’ hard drives. It has been active since April 2022 and employs a double-extortion attack technique. In July 2022, the Black Basta ransomware group has added a new capability that encrypts VMware ESXi virtual machines (VMs) on Linux servers
Researchers reported a new strain of the Black Basta ransomware that supports encryption of VMWare ESXi servers. They have been reporting on similar encryptors issued by a number of different groups, including LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive, among others.
Black Basta’s ransomware binary, like other Linux encryptors, will search for the /vmfs/volumes where virtual machines are kept on the compromised ESXi servers (if no such folders are found, the ransomware exits).
To encrypt the data, the ransomware uses the ChaCha20 algorithm. It also uses multithreading to make use of many processors and accelerate the encryption operation. The ransomware appends the .basta extension to encrypted filenames and creates readme.txt ransom notes in each folder.
Also, experts have discovered a new connection between the Black Basta ransomware gang and the QBot malware operation in the threat landscape. QBot malware is being used by the Black Basta gang to propagate laterally throughout the target network.
Impact
- File Encryption
Indicators of Compromise
MD5
- 290d620fd621b5137562c5dc4a438b19
- eca40564a1be06f33503de9e747d09f5
SHA-256
- 15560b1e35a3a8612a7ba91d00dea6b8dd6e4f3f857399c22c0c75377c9b31a2
- 1bb7e645d4ff753157bbdd78829276356cb6660a767ab7158fc7dec3fe8b0e2f
SHA-1
- f056f63a1ce12879a01a3b5b5a0ee2b647c11191
- 642463172e7b2316a52283e17b30b6c8ebc1db8f
Remediation
- Block all threat indicators at your respective controls
- Search for IOCs in your environment.