Skip to content
Try it Free Request Your Demo
    June 7, 2022

    Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems

    Original research by Siddharth Sharma and Nischay Hegde

    The Uptycs Threat research team recently observed an advancement in the Black basta ransomware, where we saw that the ransomware binaries are now targeting ESXi servers. The Black Basta was first seen this year during the month of April, in which its variants targeted windows systems. This blog highlights the recent addition of the *nix component in the Black Basta ransomware by the ransomware authors.

    Threat Attribution

    Based on the chat support link and encrypted file extension, we believe that the actors behind this campaign are the same who targeted windows systems earlier with the Black Basta ransomware.

    fig1-2

    Figure 1: Black basta chat support panel for negotiation

    Technical Overview

    The ransomware binary(hash: 0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef) looks for the /vmfs/volumes directory for encryption in the victim system. The /vmfs/volumes directory stores the virtual machines on the ESXi server. Once it finds the directory it starts encrypting files present inside the volumes folder.

    fig2-3

    Figure 2: Ransomware binary looking for /vmfs/volumes folder

    For encryption the ransomware author seems to be using the chacha20 algorithm as a part of the encryption mechanism, probably because chacha20 is fast.

    fig3-3

    Figure 3: chacha20 algorithm


    It also uses multithreading for encryption to utilize multiple processors and further make it faster and harder to detect. As shown in below figure(see figure: 4), the function `EncryptionThread` is run in parallel to increase throughput of the ransomware.

    fig4-3

    Figure 4: EncryptionThread usage

    The ransomware binary also uses chmod utility for giving full permissions to the target files.(see figure 5)


    fig5-3

    Figure 5: Malware binary writing encrypted content to files inside volumes folder


    Below figure shows the encrypted files inside the volumes folder in the victim system. The extension used by the ransomware binary is .basta.

    fig6-3

    Figure 6: Encrypted files along with the readme file


    Inside the readme.txt file, the author puts the link to the chat support panel where the victims can approach for file decryption.

    fig7-3
    Figure 7: Black Basta panel for chat support

    Uptycs EDR detections

    The Uptycs EDR armed with YARA process scanning detects the BlackBasta ransomware with a threat score of 10/10.(see figure 8)
    fig8-3

    Figure 8: Uptycs EDR detection

    IOCs


    0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef
    https[:]//aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd[.]onion

     

    threat bulletin cta image

    Uptycs Threat Research

    Research and updates from the Uptycs Threat Research team.

    Other posts you might be interested in