Black Basta Ransomware – Threat Intelligence

Based on our profiling analysis, while the site operators appear to be Ukrainian the platform is open to any affiliate for a fee or as the industry states “Ransomware as a Service”, RaaS. The negotiation/chat site requires a unique key that is left with the ransom notes on the victims machines. They encrypt both LINUX and Windows systems.

In all matters CYPFER handled, where payment was completed the threat actors delivered on their promises providing a decryptor and any other deliverables which were agreed to.

This is where we have to CAUTION any company impacted by this variant as follows:

1. Decryption is only at BEST around 75-80% effective. This is a very low effectiveness rate.
2. The encryption technology is SLOW and does not handle large files especially HIGH VALUE files like virtual disk such as VMDK or VHD files
3. Under NO CIRCUMSTANCES should you shut-down your systems unless the encryption did not start or you are -certain- that viable backups exist. If you do, you are likely going to corrupt the files which will render your virtual machines in an inconsistent state and likely unrecoverable. The Threat actors so called “after payment support” will not be useful.
4. Always backup your encrypted files before running the decryptor, this will at least enable you to re-try if the decryptor fails.

Black Basta appears to encrypt files in segments rather than encrypting the whole file, this is likely done to speed up encryption, but also appears to corrupt files more frequently than other variants.

Black Basta in over 95% of cases have always exfiltrated/stolen data from the victim machines. In all matters that we have handled the amount of stolen information was significantly more than 200GB of data. On some matters, that data can be used to restore some operational capability if payment is made.

Where payment is not made, in all matters where data was stolen, Black Basta published the victim company name and data.

SUMMARY:
DECRYPTION: Black Basta decryptor is 78% (on average) effective in decrypting files. Speed of decryption is dependent upon a number of factors including hardware capabilities and size of encrypted files. Decryptors are offered for a variety of operating systems including Windows and Linux. Speed of decryptor is MEDIUM and it is incredible INEFFECTIVE on large files.

RECOVERY and REMEDIATION: CYPFER’s post breach recovery teams have worked a number of Black Basta matters, and recovery of an environment while it depends on impact, hardware capacity and available resources will typically take 5-15 business days. In certain cases, file header information might be rebuilt. However, Black Basta matters are typically more complex as the reliability of the decryptor is considered very low.

COST: Black basta typically demand anywhere from $53 Million USD for large organizations to $100,000 for much smaller victim organizations. Average demand is $800,000 USD.

NEW DEVELOPMENT: Black Basta may provide a free decryptor if critical infrastructure, health or school are impacted.