Rewterz Threat Alert – North Korea Linked Konni APT Group – Active IOCs
December 6, 2022Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs
December 7, 2022Rewterz Threat Alert – North Korea Linked Konni APT Group – Active IOCs
December 6, 2022Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs
December 7, 2022Severity
High
Analysis Summary
Black Basta is a new ransomware that encrypts data stored on clients’ hard drives. It has been active since April 2022 and employs a double-extortion attack technique. In July 2022, the Black Basta ransomware group has added a new capability that encrypts VMware ESXi virtual machines (VMs) on Linux servers
A new strain of the Black Basta ransomware supports encryption of VMWare ESXi servers. They have been reporting on similar encryptors issued by a number of different groups, including LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive, among others.
Black Basta’s ransomware binary, like other Linux encryptors, will search for the /vmfs/volumes where virtual machines are kept on the compromised ESXi servers (if no such folders are found, the ransomware exits).
To encrypt the data, the ransomware uses the ChaCha20 algorithm. It also uses multithreading to make use of many processors and accelerate the encryption operation. The ransomware appends the .basta extension to encrypted filenames and creates readme.txt ransom notes in each folder.
BlackBasta ransomware received significant updates in November 2022, including file encryption algorithms, stack-based string obfuscation, and per-victim file extensions. Most likely, the ransomware (version 2.0) code modifications are an attempt to better avoid antivirus and EDR detection.
On November 16, 2022, researchers discovered fresh BlackBasta ransomware samples with drastically reduced antivirus detection rates. The current or the latest BlackBasta malware differs significantly from the original BlackBasta ransomware. The file encryption algorithms have been replaced, and the encryption library has been switched from the GNU Multiple Precision Arithmetic Library (GMP) to the Crypto++ encryption library.
Impact
- Files Encryption
Indicators of Compromise
MD5
59db7bd22d4ec503b768ece646205c27
b113be47b5b601e0a58d774b4ce70a17
0bf7bc20496143a9f028e77ab47b4698
SHA-256
e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757
c4c8be0c939e4c24e11bad90549e3951b7969e78056d819425ca53e87af8d8ed
350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd
SHA-1
ff57cda4829978d8b6f7f1f31356f291b37acaa6
b1b3d7d20ccad8130723d5114c64b66afa8011d4
aa54013aeb502b4a936331deb76a6411f1f1ade7
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicator of compromise (IOCs) in your environment utilizing your respective security controls
- Maintain cyber hygiene by updating your anti-virus software and implementing patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders