Threat behavior
Black Basta encrypts files using the ChaCha20 algorithm, with the key and nonce being encrypted using the RSA public key that is hard coded in the sample. The malware can fully or partially encrypt a file depending on its size. The extension of the encrypted files is changed to .basta by the ransomware.
Arrival
Attackers leverage a variety of initial infection vectors to deliver Black Basta, such as Qakbot, phishing, vulnerability exploitation, and email attachments. Black Basta has been observed spreading via Group Policy Objects (GPO).
Initial execution
Upon launching Black Basta, a command window appears, displaying the text “ENCRYPTION”.
Deletes backups and shadow copies
The ransomware deletes all Volume Shadow Copies by running the “C:\Windows\SysNative\vssadmin.exe delete shadows /all/quiet” command.
Creates an ICO file
The executable creates an ICO file named fkdjsadasd.ico in the Temp directory.
Black Basta creates an icon in the Temp directory
Black Basta ransomware creates the HKEY_CLASSES_ROOT\ [.fileextension] registry and the default value of the above key is set to the path of the ICO file.
In an earlier variant of Black Basta, a file named dlaksjdoiwq.jpg is created in the Temp directory populated with instructions from the attacker. The newly created image is set as the Desktop wallpaper.
The JPG Desktop wallpaper file containing instruction from the attacker
Enumeration
Black Basta enumerates attributes from the drives on the device, targeting only the mounted volumes (it does not mount the hidden volumes).
Ransom note
The ransomware creates and populates a ransom note named readme.txt in every directory that is traversed.
An example of a Black Basta ransom note
Encrypts files
The ransomware creates multiple threads that will handle file encryption. The malicious process starts enumerating the files on the drive. The following files and directories are allowlisted:
- $Recycle.Bin
- Windows
- boot
- readme.txt
- dlaksjdoiwq.jpg
- NTUSER.DAT
- fkdjsadasd.ico
The ransomware has a hard-coded list of extensions (.exe, .cmd, .bat, and .com); however, it still encrypts these file extensions.
The executable retrieves the thread identifier of the calling thread using the GetCurrentThreadId function. The malicious process blocks the main thread until all encryption threads finish execution calling the Thrd_join method.
ChaCha20 algorithm
Black Basta ransomware generates 32 random bytes representing the ChaCha20 key and then 8 bytes representing the pseudo-randomly generated nonce. The RSA public key is used to encrypt the randomly generated ChaCha20 key. The process constructs the initial state of ChaCha20 using the key, the nonce, and some constant values. The content is encrypted by the ChaCha20 algorithm 64 bytes at a time.
The encrypted data is written back to the file and the buffer containing the RSA encrypted ChaCha20 key and nonce is appended to the encrypted file. Black Basta changes the file extension after encryption.
Sample used in this analysis
This ransomware has multiple variants that exhibit varying behaviors. This analysis is based on the following sample:
SHA256
- ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e
