Freely subscribe to our NEWSLETTER

SentinelLabs’ research indicates that the individuals behind Black Basta ransomware develop and maintain their own toolkit and either exclude affiliates or only collaborate with a limited and trusted set of affiliates, in similar ways to other ‘private’ ransomware groups such as Conti, TA505, and Evilcorp.

Executive Summary

• SentinelLabs assesses it is highly likely the Black Basta ransomware operation has ties with FIN7
• SentinelLabs assess it is likely the developer of these EDR evasion tools is, or was, a developer for FIN7
• Black Basta maintains and deploys custom tools, including EDR evasion tools
• Black Basta attacks use a uniquely obfuscated version of ADFind and exploit PrintNightmare, ZeroLogon and NoPac for privilege escalation
• Black Basta operators have a number of Remote Admin Tools (RAT) tools in their arsenal. The threat actor has been observed dropping a self-extracting archive containing all the files needed to run the Netsupport Manager application, staged in the ‘C:\temp’ folder with the name ‘Svvhost.exe’
• The Black Basta actor has been seen using different methods for lateral movement, deploying different batch scripts through psexec towards different machines in order to automate process and services termination and to impair defences. Ransomware has also been deployed through a multitude of machines via psexec.
• In order to impair the host’s defences prior to dropping the locker payload, Black Basta targets installed security solutions with specific batch scripts downloaded into the Windows directory.