TOR chat with Black Basta ransomware operator runs dry

November 11, 2022

The SonicWall Capture Labs threat research team has recently been tracking a ransomware family called Black Basta. Black Basta first appeared in April 2022 and is believed to be operated by a well organized cybercrime group called Fin7. It has been reported that this group has already breached over 90 organizations and caused over $1B USD in damage.


Infection Cycle:


Upon execution, a console appears with the following text:


It then quickly disables console output using the FreeConsole Windows API:


It obtains information about storage volumes attached to the system and begins its encryption process:


Encrypted files are given a “.basta” file extension.


The malware uses RSA encryption.  The key is hardcoded and can be seen in the decompiled binary:


Various configuration options can also be seen in the decompiled code:


In order to prevent system recovery, the malware disables volume shadow copies using the vssadmin.exe program:


The malware drops dlaksjdoiq.jpg


dlaksjdoiq.jpg contains the following image:


A ransom message is written to readme.txt.  This file is copied into all directories containing encrypted files:


readme.txt contains the following ransom message:


fkdjsadasd.ico is dropped onto the system:


It contains the following icon:


The tOr link leads to the following page:


After logging in using the requested information, a chat interface is presented:


We had the following conversation with the attacker but were unable to obtain information about file retrieval costs:


SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: BlackBasta.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.