ZeroLogon to NoPac Vulnerability: Black Basta Group’s Exploit Arsenal Revealed

Black Basta group
Desktop background on victim’s system after encryption | Image: Qualys

Qualys has released a comprehensive report shedding light on the Black Basta ransomware, a highly disruptive threat that has wreaked havoc across industries since its emergence in April 2022. Operating under the Ransomware-as-a-Service (RaaS) model, the group has developed a reputation for its double extortion scheme, where victims not only face ransom demands to recover encrypted data but are also threatened with the release of sensitive information unless payments are made.

Black Basta has drawn comparisons to Conti, another infamous ransomware group, due to similarities in operational tactics. As Qualys details, Black Basta has leveraged its approach to attack over 500 organizations globally, spanning industries such as critical infrastructure, healthcare, and financial services across North America, Europe, and Australia.

The group gains initial footholds within victim networks via familiar methods: phishing, Qakbot infections, Cobalt Strike beacons, and exploiting known vulnerabilities. Among these are well-known exploits like ZeroLogon (CVE-2020-1472), PrintNightmare (CVE-2021-34527), and NoPac (CVE-2021-42287), which allow attackers to gain administrative privileges and maintain persistence.

Once inside, the group employs tools such as Mimikatz to harvest credentials, PowerShell for remote execution, and other legitimate software to blend into the network environment. This reconnaissance phase is essential for identifying high-value targets before deploying the ransomware payload.

Notably, the report suggests a possible link between Black Basta and the FIN7 group, a financially motivated criminal enterprise. Both groups share an affinity for using sophisticated toolkits designed to bypass detection systems, including Cobalt Strike and SystemBC. Black Basta is also adept at using remote administration software like RClone and WinSCP for exfiltrating critical data before encryption.

A distinctive hallmark of Black Basta attacks is their use of the ChaCha20 encryption algorithm, which is widely recognized for its speed and strength. The key is further protected using RSA-4096, making decryption efforts without the attacker’s cooperation nearly impossible. Victims find their files encrypted, with ominous ransom notes like “readme.txt” or “instructions_read_me.txt” left in the system, providing instructions on how to negotiate payment.

Black Basta is a fervent practitioner of double extortion: they first pilfer data and then encrypt it, brandishing the threat of publishing sensitive information if the ransom demands are not met.

Related Posts: