Black Basta is a new ransomware that encrypts data stored on clients’ hard drives. It has been active since April 2022 and employs a double-extortion attack technique. In July 2022, the Black Basta ransomware group has added a new capability that encrypts VMware ESXi virtual machines (VMs) on Linux servers
A new strain of the Black Basta ransomware supports encryption of VMWare ESXi servers. They have been reporting on similar encryptors issued by a number of different groups, including LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive, among others.
Black Basta’s ransomware binary, like other Linux encryptors, will search for the /vmfs/volumes where virtual machines are kept on the compromised ESXi servers (if no such folders are found, the ransomware exits).
To encrypt the data, the ransomware uses the ChaCha20 algorithm. It also uses multithreading to make use of many processors and accelerate the encryption operation. The ransomware appends the .basta extension to encrypted filenames and creates readme.txt ransom notes in each folder.
BlackBasta ransomware received significant updates in November 2022, including file encryption algorithms, stack-based string obfuscation, and per-victim file extensions. Most likely, the ransomware (version 2.0) code modifications are an attempt to better avoid antivirus and EDR detection.
On November 16, 2022, researchers discovered fresh BlackBasta ransomware samples with drastically reduced antivirus detection rates. The current or the latest BlackBasta malware differs significantly from the original BlackBasta ransomware. The file encryption algorithms have been replaced, and the encryption library has been switched from the GNU Multiple Precision Arithmetic Library (GMP) to the Crypto++ encryption library.