Threat Overview - Black Basta Ransomware and Threat Group
Black Basta Ransomware and Threat Group (originally seen in 2022) is known to encrypt files on a victim's computer or network, and hold data "ransom" until the victim pays the attacker for the decryption key/software. Further, the group utilizes a double extortion tactic - which means that after the data is encrypted and held ransom, there also exists a threat of publishing the data (which was exfiltrated before encryption) to the public. Financially motivated and Russian-speaking, Black Basta operates under the Ransomware-as-a-Service (RaaS) model and has targeted many countries worldwide; including the United States, Japan, Australia, The United Kingdom, Canada and New Zealand.
GO TO COLLECTION
DOWNLOAD THE REPORT
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
GET YOUR FREE HUNTER COMMUNITY ACCOUNT!
Hunt Packages
This content is designed to detect when scripting references are found in scheduled tasks. Malware and adversaries use this technique to maintain persistence on a compromised system.
ACCESS HUNT PACKAGE
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
ACCESS HUNT PACKAGE
This package is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key by changing the value from a 0 to a 1 via Powershell commandlets.
ACCESS HUNT PACKAGE
Searches for multiple LOLB network discovery and configuration tools being run in a short period of time. This indicates an attacker attempting to perform network discovery of assets that are reachable, as well as the local configuration of the system.
ACCESS HUNT PACKAGE
This will identify processes executed with common arguments associated with rclone activity used to exfiltrate.
ACCESS HUNT PACKAGE
This package is designed when the Microsoft Windows native binary esentutl.exe is used to perform actions that may be abnormal and possibly malicious.
ACCESS HUNT PACKAGE
This package utilizes a list of commonly abused LOLB which an attacker or malware would execute in quick succession. The presence of multiple executions of the programs within the list can be indicative of an infection or malicious activity occurring on a victim host. To reduce false positives, distinct counts per process name can be utilized to ensure over 5 unique processes from the list were executed versus just checking more than 6 events were generated on the host.
ACCESS HUNT PACKAGE
This hunt package identifies instances where the 'chmod' command is used to modify file permissions, specifically focusing on changes that grant executable rights. By correlating these events with user contexts and known file paths, the package aims to highlight potentially malicious activities, such as the preparation of a system for exploitation or the setup of persistence mechanisms by unauthorized users.
ACCESS HUNT PACKAGE
Rundll32 running without any command-line arguments is very anomalous and should be investigated. This can be indicative of malicious activity.
ACCESS HUNT PACKAGE
This package is intended to identify when a scheduled task command is executed to create a task utilizing PowerShell to execute a base64 encoded payload that has been stored in the Windows Registry.
ACCESS HUNT PACKAGE
This package identifies when the Atera Agent is installed for remote connectivity by looking for key registry values or command line arguments used to install and register the agent to an unauthorized account. This package uses different artifacts in order to identify this behavior. Check out the 'Deployment Requirements' section for each tool in order to understand the limitations or requirements.
ACCESS HUNT PACKAGE
This hunt package is designed to capture the activity surrounding commandline arguments being executed in order to enable Remote Desktop Protocol (RDP).
ACCESS HUNT PACKAGE
BCDEdit is a command-line tool for managing Boot Configuration Data (BCD). Ransomware is known to utilize bcdedit to modify the boot configuration to prevent recovery. The intent of this package is to identify when bcdedit is being utilized with several common malicious commands, such as delete and safeboot.
ACCESS HUNT PACKAGE
This content has been designed to identify when ADFind.exe is staging data, possibly for exfil, on a local resource.
ACCESS HUNT PACKAGE
This content is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key or by modifying how Microsoft Defender will respond to threats based by changing the configuration through registry keys.
ACCESS HUNT PACKAGE
This use case is meant to identify when calc.exe contains a child process other than calc.exe. Calc.exe containing a child process other than itself should be considered abnormal, and could be indicative of process injection or other malicious activity.
ACCESS HUNT PACKAGE
Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
ACCESS HUNT PACKAGE
This Hunt Package is designed to identify files executed (such as DLLs) from a temporary directory by regsvr32.exe. This LOLB is often abused to proxy execution or launch malicious applications/malware.
ACCESS HUNT PACKAGE