What Is Black Basta?
Black Basta (S1070) is a prolific ransomware strain that emerged in early 2022. Security researchers believe the developers built the software with strong ties to established cybercriminal groups like Conti and FIN7.
Operating as a Ransomware-as-a-Service (RaaS), the malware relies on affiliates to execute the initial network breach. Historically, attackers deployed the Qakbot botnet to gain a foothold, but they now rely on newer loaders like DarkGate and Pikabot. Once inside, attackers use tools like Cobalt Strike and Mimikatz to move laterally and escalate privileges before exfiltrating sensitive data.
Next, the attackers deploy the Black Basta payload to encrypt critical systems. The malware deletes local volume shadow copies using legitimate administrative tools. This destructive step prevents IT teams from easily restoring data.
Attackers rely heavily on double extortion, demanding a massive ransom for decryption keys while threatening to publish the stolen data on their dark web leak site.
How to Defend Against Black Basta?
Defending against Black Basta requires strict email security, offline data redundancy, and continuous network monitoring.
- Secure email and remote access: Attackers use phishing to deliver the initial Qakbot infection. Enforce Multi-Factor Authentication (MFA) and train employees to identify suspicious attachments. Use Lumu Discover to control your attack surface.
- Maintain offline backups: Black Basta actively destroys local backups and shadow copies. Store critical data offline to ensure quick recovery without paying a ransom.
- Deploy endpoint detection: Monitor devices for suspicious administrative commands. Flag any process that attempts to run tools like Mimikatz or delete shadow copies.
- Use network detection (NDR): Use tools like Lumu Defender to identify unauthorized data exfiltration. Detect and block the command and control beacons from Qakbot and Cobalt Strike before encryption begins.
- Integrate threat intelligence: Use platforms like Lumu Maltiverse to stay updated on the latest Black Basta indicators and block access to malicious domains.
