TOR chat with Black Basta ransomware operator runs dry
The SonicWall Capture Labs threat research team has recently been tracking a ransomware family called Black Basta. Black Basta first appeared in April 2022 and is believed to be operated by a well organized cybercrime group called Fin7. It has been reported that this group has already breached over 90 organizations and caused over $1B USD in damage.
Infection Cycle:
Upon execution, a console appears with the following text:
It then quickly disables console output using the FreeConsole Windows API:
It obtains information about storage volumes attached to the system and begins its encryption process:
Encrypted files are given a “.basta” file extension.
The malware uses RSA encryption. The key is hardcoded and can be seen in the decompiled binary:
Various configuration options can also be seen in the decompiled code:
In order to prevent system recovery, the malware disables volume shadow copies using the vssadmin.exe program:
The malware drops dlaksjdoiq.jpg
dlaksjdoiq.jpg contains the following image:
A ransom message is written to readme.txt. This file is copied into all directories containing encrypted files:
readme.txt contains the following ransom message:
fkdjsadasd.ico is dropped onto the system:
It contains the following icon:
The tOr link leads to the following page:
After logging in using the requested information, a chat interface is presented:
We had the following conversation with the attacker but were unable to obtain information about file retrieval costs:
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: BlackBasta.RSM (Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.
