The notorious Black Basta ransomware group is adopting new and innovative strategies to amplify its impact. Recent reports highlight their shift toward advanced social engineering techniques, leveraging malicious payloads like Zbot and DarkGate since October 2024.
Email Bombing and Targeted Engagement
One of Black Basta’s latest tactics involves email bombing. According to Rapid7, attackers flood a victim’s inbox by signing up their email address to multiple mailing lists, creating chaos and distraction. Once the email bombing starts, the attackers initiate direct contact with the victim.
Previously, in August 2024, Black Basta operators were seen impersonating IT support staff via Microsoft Teams, using fake identities to build trust. These methods exploit human psychology, convincing victims to install legitimate remote access tools like:
- AnyDesk
- ScreenConnect
- TeamViewer
- Microsoft Quick Assist
Microsoft is actively tracking this activity under the identifier Storm-1811, as the threat actors use Quick Assist to deploy ransomware payloads.
Using QR Codes to Steal Credentials
Another concerning method involves sending malicious QR codes through chat messages. Victims are tricked into scanning these codes under the guise of adding trusted devices. These QR codes either lead to credential theft or redirect victims to malicious infrastructure, as reported by cybersecurity firm ReliaQuest.
Payload Deployment via Remote Access
Once the attackers gain remote access, they deliver additional malicious tools to compromised systems, including:
- Credential harvesting programs
- Zbot (ZLoader) or DarkGate malware, which serve as gateways for subsequent attacks.
The primary goal remains consistent:
- Rapidly map out the victim's environment.
- Steal credentials, VPN configuration files, and bypass multi-factor authentication (MFA) to infiltrate the target network.
Black Basta: From Botnets to Hybrid Models
Emerging as an independent group post-Conti’s disbandment in 2022, Black Basta initially relied on QakBot for infiltration. Over time, they evolved their methods, integrating sophisticated social engineering techniques alongside custom malware families such as:
- KNOTWRAP: A memory-only dropper that executes payloads in memory.
- KNOTROCK: A .NET-based utility for ransomware execution.
- DAWNCRY: A memory-only dropper that decrypts resources using a hard-coded key.
- PORTYARD: A tunneling tool that connects to a command-and-control (C2) server.
- COGSCAN: A reconnaissance tool to gather network host data.
“Black Basta’s hybrid approach demonstrates their ability to blend botnet capabilities with advanced social engineering tactics,” said Yelisey Bohuslavskiy from RedSense.
Broader Ransomware Landscape
The disclosure of Black Basta’s latest techniques coincides with Check Point’s analysis of an updated Rust variant of the Akira ransomware, showcasing the increasing sophistication of modern malware. Other notable developments include:
- Mimic ransomware variant (Elpaco)
- Rhysida infections using CleanUpLoader for persistence and data theft.
Additionally, SEO poisoning has been used to trick users into downloading malware. Threat actors create typosquatted domains resembling legitimate software download sites, such as Microsoft Teams or Google Chrome, to distribute malicious files.
Mitigation and Cybersecurity Insights
Organizations should remain vigilant against these evolving threats by:
- Educating employees about phishing, email bombing, and social engineering tactics.
- Restricting the installation of remote access tools to verified IT personnel.
- Implementing multi-layered cybersecurity solutions to detect and mitigate malware infections.
Black Basta's rise illustrates the growing complexity of ransomware attacks, emphasizing the need for robust defenses and proactive threat intelligence.