February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – CVE-2023-24574 – Dell Enterprise SONiC OS Vulnerability
February 6, 2023Rewterz Threat Advisory – Multiple GitLab Products Vulnerabilities
February 6, 2023Rewterz Threat Advisory – CVE-2023-24574 – Dell Enterprise SONiC OS Vulnerability
February 6, 2023Rewterz Threat Advisory – Multiple GitLab Products Vulnerabilities
February 6, 2023
Severity
High
Analysis Summary
Black Basta is a new emerging ransomware that encrypts data stored on clients’ hard drives. It has been active since April 2022 and employs a double-extortion attack technique. In July 2022, the Black Basta ransomware group has added a new capability that encrypts VMware ESXi virtual machines (VMs) on Linux servers
A new strain of the Black Basta ransomware that supports encryption of VMWare ESXi servers. They have been reporting on similar encryptors issued by a number of different groups, including LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive, among others.
Black Basta’s ransomware binary, like other Linux encryptors, will search for the /vmfs/volumes where virtual machines are kept on the compromised ESXi servers (if no such folders are found, the ransomware exits).
To encrypt the data, the ransomware uses the ChaCha20 algorithm. It also uses multithreading to make use of many processors and accelerate the encryption operation. The ransomware appends the .basta extension to encrypted filenames and creates readme.txt ransom notes in each folder.
ransom note
Impact
- File Encryption
Indicators of Compromise
MD5
- a71fe2312ed184886e32a760d70a8768
SHA-256
- d408fe3421f520710e8a6ac6f0b9a1759b03ab3f44134e451d72af3bb79a3ad0
SHA-1
- aae2e745a5fc88e313439f8ec7b4bcc740a5dc44
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Maintain cyber hygiene by updating your anti-virus software and implementing patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders