Analysis of BlackBasta ransomware gang (Part 1)

Back to Posts

Analysis of BlackBasta ransomware gang (Part 1)

Reading Time: 10 minutes

Executive Summary

The present article provides valuable highlights about BlackBasta ransomware-as-a-service (RaaS), as a result of the analysis conducted by Yarix Cyber Threat Intelligence – YCTI team.

BlackBasta emerged in April 2022 and has already compromised over 200 organizations, thus representing one of the most threatening ransomware gangs in the cyber-scene. From April 2022 until March 2023, YCTI team estimates that the total amount of data encrypted/exfiltrated by BlackBasta is equal to over 30 TB. On average, the data encrypted/exfiltrated from a target is included in the range of 150 – 500 GB. The ransomware gang BlackBasta has publicly released data on its Data Leak Site (DLS) for 75% of the targets attacked, while no data have been released for 25% of the targets.

The top-3 sectors attacked by BlackBasta are: Manufacturing/Industrial (30%), Construction (10%), Engineering/Technology (9%). Taking into considerations the percentage of attacks conducted globally, the top-5 countries most targeted are the following: United States of America (64%), Germany (13%), United Kingdom (5%), Canada (4%), Italy (3%). With regards to the targets’ revenue, the YCTI team estimates that the average revenue of the company victim of a ransomware attacked crafted by BlackBasta is in the range of USD 400-500 million.

Moreover, taking into consideration the attribution of the ransomware gang to a specific area, the YCTI team highlighted some factors suggesting that the group may have ties to Russia.

Overview

Emerging in April 2022, BlackBasta is a Ransomware-as-a-Service (RaaS) that is believed to have been in development since February of that year. BlackBasta employs a double extortion method that involves encrypting files on targeted organizations’ systems and demanding a ransom in exchange for the decryption key. Additionally, the group operates a dark web leak site where they threaten to release sensitive information if the organization refuses to pay the ransom.

Since its emergence, BlackBasta affiliates have been actively deploying the ransomware and extorting organizations. According to information posted on their Data Leak Site (DLS), they have already compromised over 200 organizations, despite only being active since a year.

BlackBasta ransomware is written in C++ and can affect both Windows and Linux operating systems. To hasten the encryption process, the ransomware utilizes a combination of ChaCha20 and RSA-4096 to encrypt user data. It encrypts in 64-byte chunks, leaving 128 bytes of data unencrypted between the encrypted regions. By quickly encrypting data, the ransomware can potentially compromise more systems before being detected by defenses.

Victimology

From April 2022 until March 2023, according to OSINT/CLOSINT analyses conducted by the YCTI team, the ransomware gang BlackBasta attacked 218 targets/companies. According to the analysis conducted by the YCTI team, it can be assumed that 14 targets were removed from the gang’s Data Leak Site (DLS). Therefore, the actual amount of targets included in the DLS in the timespan indicated is 204. It is reasonable to believe that the 14 targets removed entered in negotiations with BlackBasta and paid the ransom requested. However, it is worth underlining that the amount of targets attacked by the ransomware gang may be higher, due to the fact that more victims could have entered in negotiations with BlackBasta, thus paying the ransom requested.

Data

From April 2022 until March 2023, YCTI team estimates that the total amount of data encrypted/exfiltrated by BlackBasta is equal to over 30 TB. On average, the data encrypted/exfiltrated from a target is included in the range of 150 – 500 GB.

The ransomware gang BlackBasta has publicly released data on its DLS for 75% of the targets attacked: for 73% of the victims complete data have been published, while for 2% of them only partial data have been released. On the other hand, no data have been released for 25% of the targets.

Taking into consideration the targets for whom no data have been released, according to the analysis conducted by YCTI, it can be affirmed that generally BlackBasta publishes the data of the targets that do not pay the ransom. However, a defined publication time has not been observed. For some of the targets, data have been released few days after they were included in the DLS; for some others, data have been published much later. According to the analysis conducted by the YCTI team, data have been published even after 6 months from the moment the target was included in the DLS.

The YCTI team estimates that for those targets whose data have not been published, but that have been in the DLS for more than 6 months, it is less likely that data will ever be released. Instead, targets for whom no data have been published, but have been included in the DLS for less than 6 months, there is a high probability that data will be published later. Considering the data analysed, 50% of targets whose data have not been published has been added to the DLS more than 6 months ago (April-September 2022); while the remaining 50% has been added to the DLS less than 6 months ago (October 2022-March 2023).

Sectors

According to the analysis conducted by the YCTI team the top-3 sectors attacked by BlackBasta are the following:

  1. Manufacturing/Industrial (30%)
  2. Construction (10%)
  3. Engineering/Technology (9%)

Below a table with the sectors attacked by the ransomware group:

Countries

According to the analysis conducted by the YCTI team, the most attacked region by BlackBasta is Northern America with 68% of the attacks, followed by Europe with 30% and the residual 2% allocated between Asia and Oceania.

Taking into considerations the percentage of attacks conducted globally, the top-5 countries most attacked by BlackBasta are the following:

  1. United States of America (64%)
  2. Germany (13%)
  3. United Kingdom (5%)
  4. Canada (4%)
  5. Italy (3%)

The aforementioned countries alone constitute 89% of the attacks made by BlackBasta at a global level.

Taking into consideration the attacks conducted in Europe, the top-5 countries most targeted by BlackBasta are the following:

  1. Germany (42%)
  2. United Kingdom (18%)
  3. Italy (10%)
  4. Austria (10%)
  5. Switzerland (5%)

The aforementioned countries alone constitute 85% of the attacks made by BlackBasta in Europe.

Targets’ revenue

According to the analysis conducted, the YCTI team estimates that the average revenue of the company victim of a ransomware attacked made by BlacBasta is included in the range of USD 400-500 million. [1]

We considered the following 5 revenue’s ranges (expressed in USD million):

Below key considerations about the data analysed.

The majority of the victims (65%) has a revenue in the range of USD >0-100 million:

  • The top-3 countries most targeted by attacks in this range are:
  1. United States of America (63%)
  2. Germany (11%)
  3. United Kingdom (8%)
  • The top-3 sectors most targeted by attacks in this range are:
  1. Manufacturing/Industrial (24%)
  2. Engineering/Technology (14%)
  3. Construction (9%)

The companies with a revenue in the range of USD 1000-5000 million constitute 8% of the victims:

  • The top-3 countries most targeted by attacks in this range are:
  1. Germany (38%)
  2. United States (38%)
  3. Canada (6%)
  • The top-3 sectors most targeted by attacks in this range are:
  1. Manufacturing/Industrial (25%)
  2. Bank/Finance/Insurance (19%)
  3. Construction (19%)

Timeline of the attacks

Taking into consideration the timeline of the attacks, the YCTI team observed that there have been peaks of attacks in the months of July, September, October, December 2022 and in March 2023. On the other hand, it has been observed a sharp decrease in the attacks conducted during the month of January 2023. Assumptions on this trend will be provided in the following section (see par. ATTRIBUTION).

Attribution

To date, there is no conclusive evidence to attribute BlackBasta ransomware to a specific country. However, some factors strongly suggest that the group may have ties to Russia.

Targets

BlackBasta attacked over 200 targets and none belongs to the Eurasian area. Russian threat actors typically adhere to a guideline of avoiding targeting victims within the Commonwealth of Independent States (CIS), with a particular emphasis on refraining from attacking entities in Russia itself.

As follows some of the reasons why they avoid to attack entities within Russia or the CIS countries:

  • cybercriminals may feel a sense of loyalty or patriotism towards their home country or region, and may be hesitant to engage in activities that could be seen as harming their own people;
  • there may be a higher risk of law enforcement action within CIS countries, as authorities may be more actively monitoring online criminal activities within their own borders;
  • the Russian legal system does not currently have specific laws in place to prosecute cybercriminals who conduct attacks on victims outside of Russia or the CIS countries. This legal loophole has made it easier for Russian hackers to operate with impunity and carry out attacks on foreign entities without fear of prosecution in their home country. On the other hand, the Russian legal system has laws in place to prosecute cybercriminals who conduct attacks on victims within Russia and CIS countries (i.e.: art. 272, 273, 275 of Russian Criminal Code; Law on Information, Information Technologies and Information Protection).

Ransom note linguistic analysis

The language used by the BlackBasta ransomware operators in their ransom notes and communication with victims contained grammatical errors and expressions consistent with Russian-speakers without a complete fluency in English.

Below a sample of a ransom note crafted by BlackBasta ransomware gang:

“We are BlackBasta Group. We are here to inform that your company local network has been hacked and encrypted.

We’ve downloaded over 500GB of a sensitive information and data from your network.  Check your page in our blog, in a few minutes you will see the confidential data there that we took from your network.

Right now we’re keeping it secret. However, if we don’t come to an agreement within 10 days, it’ll be posted on our news board.

Decryption price is $11,000,000.  In case of successful negotiations we guarantee you will get:

  1. Descriptors for all your Windows and Esxi machines;
  2. Non recoverable removal of all downloaded data from our side;
  3. Security report on how you were hacked to fix your vulnerabilities and avoid such situations in future.

Hope you can correctly assess the risks for your company.

You can find more information about Black Basta Group in Google.”

In the context of the given text, the word “Descriptors” appears to be a mistranslation of the Russian word “дескрипторы” (deskriptory). In Russian technical terminology, the word “deskriptor” is often used to refer to a “handle” or “pointer” that identifies a specific resource or object within a system. This term is commonly used in programming languages such as C++ operating systems like Windows and Linux. In the context of the ransom note, the use of the word “Descriptors” in place of “Decryption keys” may suggest that the author is a Russian speaker who is not completely fluent in English. This is because the word “deskriptor” is a common technical term in Russian, but “descriptor” is not commonly used in English in this context. Therefore, the use of the word “Descriptors” in the ransom note is consistent with Russian-language technical terminology, and it may indicate that the author of the message is a non-native English speaker, possibly from Russia or another Russian-speaking country.

Overall, while the message of the ransom note is understandable, it contains errors and awkward phrasing that suggest that the author may not be a native English speaker. Here are some examples of errors in English grammar and phrasing that are common among non-native English speakers, including Russians, that can be found in the text:

“We’ve downloaded over 500GB of a sensitive information and data from your network”.

The use of “a” before “sensitive information and data” is incorrect, as “information” and “data” are both uncountable nouns that do not take an indefinite article. This mistake is quite common among Russian-native speakers who learned English as a foreign language, since in Russian language there are not articles, declinations are used instead.

“Check your page in our blog, in a few minutes you will see the confidential data there that we took from your network”

The phrase is redundant and awkwardly phrased. A more natural way to say this would be “you will see the confidential data that we have taken from your network on our blog”.

“Right now we’re keeping it secret”

This could be phrased more idiomatically as “We’re currently keeping it confidential”.

“Hope you can correctly assess the risks for your company”

This could be phrased more clearly as “We hope you can accurately assess the risks to your company.”

“You can find more information about BlackBasta Group in Google”

This sentence could be phrased more naturally in English as “You can find more information about BlackBasta Group by searching on Google.”

Timeline of the attacks

It is interesting to observe that in the timeline chart of the attacks conducted by BlackBasta there is a sharp decrease in the attacks during the month of January 2023. There could be different reasons to explain this event, however, if we assume that BlackBasta is a Russian-speaking ransomware group it is reasonable to believe that a factor explaining the decrease in attacks during the month of January would be the Christmas festivities in the Orthodox Christianity areas. In Russia and other countries where Orthodox Christianity is the most widespread confession, sacred festivities follow the Julian calendar rather than the Gregorian calendar used by the Catholic Church. The Julian calendar is 13 days behind the Gregorian one. Therefore, Christmas for the Orthodox Church falls on January 7th and New Year’s Day on January 1st. The sharp decrease in attack conducted during the month of January could be explained, among other potential factors, with festivities taking place in that period.

QakBot malware

In incidents handled by Yarix Incident Response – YIR was identified the use of the QakBot malware by BlackBasta. QakBot is a malware initially designed as a banking trojan for exfiltrating personal data and later used as an info-stealer module by many ransomware groups.  The association of QakBot with the threat actor BlackBasta is relevant, as it would provide one more indication as to the origin of the criminal group. As noted by the US Cybersecurity and Infrastructure Security Agency, cybercriminals originating from Eurasia are known to utilize Qakbot to form botnets and enable highly lucrative ransomware attacks. These individuals often operate or facilitate botnet-based access and have the advantage of operating in permissive environments within Russia and other former Soviet republics. [2]

Nevertheless, it is important to note that these factors do not provide conclusive evidence of the group’s nationality or geographic location, and that attribution of cyberattacks can be a complex and challenging task.

What’s next?

The aim of the present article was to provide information about BlackBasta ransomware with regards to volume of data exfiltrated, targeted countries/sectors, attribution to a specific geographic area. For a deep-dive into a technical analysis (revealing also potential correlations with other threat actors) a second part will soon be published on Yarix Labs blog.

Notes

[1] For the estimates have been considered the revenues of 2021. The revenues’ estimates have been retrieved from ZoomInfo (https://www.zoominfo.com/), software and data company which provides data for companies and business individuals. The reason behind the choice of the aforementioned source has been driven by the following factors: it represents data globally; it is the main source for information about companies’ revenues used by the threat actors in the most relevant Dark Web markets and forums. Nevertheless, it is worth underlining that the estimates showed by ZoomInfo may be subject to a margin of error and may not be completely accurate.

[2] US Cybersecurity and Infrastructure Security Agency, Alert CodeAA22-216A: Cybersecurity Advisory 2021 Top Malware Strains, last revised: August 25, 2022. Available at: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-216a

Author

Ludovico Ninotti is a member of the Yarix Cyber Threat Intelligence Team. He specialized in Russian Information Warfare and Russian-speaking cybercrime in Europe through his experience in international organizations and the private sector, as well as his research work focused on Russia. Outside of work he enjoys photography and techno/electronic music.

Share this post

Back to Posts