Black Basta is a RaaS program that emerged in April 2022 with ransomware samples dating back to February 2022. Current intelligence indicates that Black Basta emerged from the crumbled ashes of the Conti operation. The ransomware is written in the C++ programming language and supports Windows and Linux operating systems. Black Basta operators use the double extortion scheme threatening victim organizations with leaking exfiltrated data on the threat group’s TOR-based web site Basta News should the victims not pay ransom.
Black Basta is rapidly gaining ground on the ransomware scene and targets major organizations globally – the ransomware operation reported more than 20 victim organizations on Basta News within the first two weeks of its existence. Targeting, especially early on, was primarily focused on utilities, technology, financial, and manufacturing industries. For example, the major German building materials manufacturer Knauf suffered an attack conducted by Black Basta affiliates at the end of June 2022.
Like PLAY ransomware, Black Basta does not feature encryption modes that can be configured by the ransomware operator, but orchestrates intermittent encryption based on the size of the file under encryption. Black Basta encrypts:
all file content, if the file size is less than 704 bytes;
every 64 bytes, starting from the beginning of the file, skipping 192 bytes, if the file size is less than 4 KB;
every 64 bytes, starting from the beginning of the file, skipping 128 bytes, if the file size is greater than 4 KB.
Our analysis showed that for a file with a size greater than 4 KB, the Black Basta ransomware encrypted 64 byte portions with an interval of 128 bytes between each, until the end of the file. In similar fashion to PLAY ransomware, the file consisted only of null characters, making the encrypted and non-encrypted chunks
Conclusion
Intermittent encryption is a very useful tool to ransomware operators. This encryption method helps to evade some ransomware detection mechanisms and encrypt victims’ files faster. Given the significant benefits to threat actors while also being practical to implement, we estimate that intermittent encryption will continue to be adopted by more ransomware families.
SentinelOne Singularity fully detects these ransomware samples.
Ransomware Samples
Family
SHA1
Agenda
5f99214d68883e91f586e85d8db96deda5ca54af
BlackCat
8917af3878fa49fe4ec930230b881ff0ae8d19c9
PLAY
14177730443c70aefeeda3162b324fdedf9cf9e0
Black Basta
a996ccd0d58125bf299e89f4c03ff37afdab33fc