New Ransomware "Black Basta" in the Wild
Description
FortiGuard Labs is aware of a new ransomware variant called "Black Basta" discovered in the wild. The ransomware employs a double-extortion tactic in which it encrypts files and exfiltrates confidential information from the victim, then demands a ransom for decrypting the affected files and threatens to publicize the exfiltrated data if a ransom is not paid.
Black Basta ransomware is reported to have victimized several organizations in multiple countries.
Why is this Significant?
This is significant because Black Basta is a new ransomware that is reported to have victimized several organizations in multiple countries.
What is Black Basta ransomware?
Black Basta is a new ransomware that demands ransom from the victim for decrypting victim's files it encrypted and not to release the stolen data to the public.
Black Basta ransomware deletes shadow copies from the compromised machine, which prevents the victim from being able to recover any files that have been encrypted. The ransomware also replaces the desktop wallpaper with an image with a black background that has the following ransom message:
Your network is encrypted by
the Black Basta group.
Instructions in the file
readme.txt.
The ransomware then will then restart the compromised machine in safe mode with the Windows Fax service running. After the reboot, the service launches the ransomware in order to start encrypting files. Files that are encrypted by Black Basta ransomware have ".basta" file extension and also have the ransomware's own file icon. Readme.txt, also dropped by the ransomware, contains a ransom note to instruct the victim to use a specific TOR address to contact the attacker.
What does the Windows Fax service have to do with this? Is it Vulnerable?
The Windows Fax Service is not vulnerable. The Windows Fax service is attacked to maintain persistence and in this variant of Black Basta, it is hijacking an existing service name (in this case Windows Fax), deleting it, and spawning a new service with the same name.
What is the Status of Coverage?
FortiGuard Labs provides the following AV coverage against known samples of Black Basta ransomware:
W32/Filecoder.OKW!tr
W32/Kryptik.HPHI!tr
W32/Filecoder.OKT!tr
W32/Filecoder.OKW!tr.ransom
W32/Filecoder.OKT!tr.ransom
W32/Malicious_Behavior.VEX
Appendix
New Black Basta Ransomware Hijacks Windows Fax Service (Minerva)