TOR chat with Black Basta ransomware operator runs dry

---

The SonicWall Capture Labs threat research team has recently been tracking a ransomware family called Black Basta. Black Basta first appeared in April 2022 and is believed to be operated by a well organized cybercrime group called Fin7. It has been reported that this group has already breached over 90 organizations and caused over $1B USD in damage.

 

Infection Cycle:

 

Upon execution, a console appears with the following text:

 

It then quickly disables console output using the FreeConsole Windows API:

 

It obtains information about storage volumes attached to the system and begins its encryption process:

 

Encrypted files are given a “.basta” file extension.

 

The malware uses RSA encryption.  The key is hardcoded and can be seen in the decompiled binary:

 

Various configuration options can also be seen in the decompiled code:

 

In order to prevent system recovery, the malware disables volume shadow copies using the vssadmin.exe program:

 

The malware drops dlaksjdoiq.jpg

 

dlaksjdoiq.jpg contains the following image:

 

A ransom message is written to readme.txt.  This file is copied into all directories containing encrypted files:

 

readme.txt contains the following ransom message:

 

fkdjsadasd.ico is dropped onto the system:

 

It contains the following icon:

 

The tOr link leads to the following page:

 

After logging in using the requested information, a chat interface is presented:

 

We had the following conversation with the attacker but were unable to obtain information about file retrieval costs:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: BlackBasta.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.