Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
Black Basta is a threat actor’s choice of the ransom note. The ransomware encrypts files using AES-256 and then offers victims a choice of what to do with their data: purchase a one-time decrypt key for $200, pay $30 for a permanent decrypt key, or wipe the files for free.
The domain blackbasta.com was registered on December 3, 2016 and may be linked to a threat actor group which has been active for at least 16 months using Cyrillic strings in the malware file names, but no clear links exist between this threat actor group and Black Lotus or Shifu.
We have seen, however, a growing proportion of ransom notes like this one in the wild. One is left to wonder if the authors of Black Basta are seeking out victims who are already infected with something else, or if they have found a way to infect systems with ransomware that doesn’t otherwise get noticed. For example, we have seen reports of infection via various JAR files and other methodologies that don’t involve traditional email spam.
Both the domain and malware were registered in the same country, Turkey, and both are based in Turkish: blackbasta.com was registered by “ANADOLU KIZILA AS” in Yalova, Turkey (TURKEY); the malware sample is contained on a Dropbox link from “BANAT ANKARA” (Istanbul) and is hosted in Turkey as well. This suggests that the actor group behind Black Basta may be based entirely within Turkey.
Once the malware has been downloaded, the files it tries to encrypt are used as a list of files and folders in a very specific order, which are:
Recovery folder – where the key could be found.
Backup folder (made before infection) – where the key could be found.
Documents folder – It’s likely that this is just a random selection of files and folders that happened to have been backed up during normal use by the victim. Possibly this is because “Within this file” was selected for inclusion in each encrypted file’s metadata block.