The latest variant of Black Basta Ransomware looks to encrypt VMs present inside the volumes folder (/vmfs/volumes) on ESXi-based systems and servers, It uses the ChaCha20 algorithm to encrypt the files,and also multithreading for encryption to utilize multiple processors and make itself faster and harder to detect.
Most of the organizations that have private clouds based on VMware ESXi hosts, or organizations that use ESXi hosts to store data and other operational work, it becomes important to keep a close eye and monitoring mechanisms on sensitive folders present inside the systems and servers.
During Uptycs’ investigation and analysis of the ransomware binary, it found evidence indicating that the actors behind this campaign are the same ones behind early Black Basta campaigns.
Along with that, the extension used by the ransomware binary on encrypted files was the same as previous versions (.basta).
A new partnership between Black Basta and the Qbot (aka Qakbot) malware family has been uncovered by the research, which steals bank credentials, Windows domain credentials, and delivers malware onto infected systems.
The Black Basta gang was observed using Qbot to spread laterally throughout the network.
Highlights of Campaign
- Gathering internal IP addresses of all hosts on the network.
- Disabling Windows Defender.
- Deleting Veeam backups from Hyper-V servers.
- Use of WMI to push out the ransomware.
Enterprises are advised to implement concepts like zero trust and stringent identity governance to know what permissions they have granted to all accounts and to watch for any changes.