TrendMicro’s research team posted a simple and clean overview of Black Basta Ransomware infection routine. The post can be found HERE. Some key takeaways regarding how this ransomware works.
- Administrator rights are needed for the ransomware to run. This is yet another example of why organizations should not just let any user have admin rights on company-controlled systems. Unless the proper security controls are put in place
- If the ransomware is able to run, it will disable Windows recovery and repair. It will change the desktop to the ransom message. It will reboot the system into safe mode.
- Files will be encrypted with the .basta file extension.
There are signs that this may be another Conti effort, but nothing is confirmed. I recommend checking out this post and pulling out the tactics and techniques being used. Challenge your organization with a hypothetical run through of how you would respond to this attack.
Note: Know the post doesn’t speak to the initial compromise that allows the Ransomware to be installed hence, you should also think about different exploitation methods that could lead to the install of this ransomware variant. Remember that ransomware is just one of the bad things that can occur when a system is compromised. This post also doesn’t speak to how it spreads. The focus of this post is how malware (specifically the Black Basta Ransomware) runs on a compromised desktop. You will need to include evaluating the risk of exploitation and lateral movement to properly test against this type of attack. You need to consider how you protect your backup data, how your SOC monitors and performs incident response, what risk exists within the network, and so on.