April 18, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – LockBit Ransomware – Active IOCs
June 2, 2023Rewterz Threat Advisory – ICS: Advantech WebAccess/SCADA Vulnerabilities
June 2, 2023Rewterz Threat Alert – LockBit Ransomware – Active IOCs
June 2, 2023Rewterz Threat Advisory – ICS: Advantech WebAccess/SCADA Vulnerabilities
June 2, 2023
Severity
High
Analysis Summary
Black Basta is a new emerging ransomware that encrypts data stored on clients’ hard drives. It has been active since April 2022 and employs a double-extortion attack technique. In July 2022, the Black Basta ransomware group has added a new capability that encrypts VMware ESXi virtual machines (VMs) on Linux servers
A new strain of the Black Basta ransomware that supports encryption of VMWare ESXi servers. They have been reporting on similar encryptors issued by a number of different groups, including LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive, among others.
Black Basta’s ransomware binary, like other Linux encryptors, will search for the /vmfs/volumes where virtual machines are kept on the compromised ESXi servers (if no such folders are found, the ransomware exits).
To encrypt the data, the ransomware uses the ChaCha20 algorithm. It also uses multithreading to make use of many processors and accelerate the encryption operation. The ransomware appends the .basta extension to encrypted filenames and creates readme.txt ransom notes in each folder.
Ransom Note:
Impact
- File Encryption
Indicators of Compromise
MD5
- d1fec50e1630401e8096fde9e6f31482
- 0c0ebd73cacb79b19dfd95dc3a5019ee
- 1e9d4af109f42baa420598b1cb38d307
SHA-256
- d982401b64ae312363fafadcfdedabdd7c13ad89651767c5c6bc0fef03f63fb4
- c61a3b75e95ea37acb0d7653126ce080c807caf182c5002d2a2185e87f533dd6
- 2558d0817586306d0ddf7beadd371785cd0a0b7ed860ac62760dbbc92866008a
SHA-1
- 6a0efbdd337131d7fb21babf281f892fadb83807
- ce62969554656e30765ee7eb27a51dd79367392a
- 71db2886b1dde3e92bbab3af7be627f253532736
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Never trust or open links and attachments received from unknown sources/senders.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
