Sigma Rules for Black Basta Ransomware Attacks

In recent months, the cybersecurity landscape has been significantly impacted by a series of attacks attributed to the Black Basta ransomware group. These cybercriminals have targeted numerous sectors, including healthcare and critical infrastructure, causing widespread disruption and data breaches. This post aims to provide an overview of these attacks, outline the Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), and share how we’ve translated these IOCs into actionable Sigma rules to enhance our defenses. Sigma is an open standard for writing generic and SIEM-agnostic detection rules. These rules can be converted to a specific SIEM system's query language using Sigma converters.

What is Black Basta?

Black Basta is a ransomware-as-a-service (RaaS) variant that has been active since April 2022. The group has successfully compromised over 500 organizations globally, leveraging common initial access techniques such as phishing and exploiting known vulnerabilities. Notably, they have employed a double extortion model, encrypting systems and exfiltrating data to pressure victims into paying ransoms.

One of the recent tactics used by Black Basta involves abusing the Windows Quick Assist tool, which is intended for remote tech support, to gain unauthorized access to systems. This approach has made their attacks more insidious and difficult to detect.

Key Insights from CISA and FBI

In response to these attacks, CISA and the FBI have released detailed advisories containing IOCs and TTPs to help organizations recognize and mitigate the threat posed by Black Basta. Here are some critical elements of their findings:

Indicators of Compromise (IOCs):

• Hashes of malicious files:

  • 0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298 (rclone.exe)

  • d3683beca3a40574e5fd68d30451137e4a8bbaca8c428ebb781d565d6a70385e (Winscp.exe)

  • 88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc (DLL)

Tactics, Techniques, and Procedures (TTPs):

• Command and Scripting Interpreter: PowerShell (T1059.001) - Used to disable antivirus products.

• Exploitation for Privilege Escalation (T1068) - Leveraging vulnerabilities to gain higher access levels.

• Remote Desktop Protocol (RDP), PsExec, BITSAdmin - Tools used for lateral movement within networks.

Sigma Rules for Enhanced Detection

To assist our community in detecting and responding to Black Basta ransomware activity, we have translated these IOCs into Sigma rules. These rules can be implemented within your Security Information and Event Management (SIEM) systems to identify potential threats. Below is a sample Sigma rule based on the provided IOCs:

Get the Complete Set of Sigma Rules

To further support our subscribers, we have compiled a comprehensive PDF document containing Sigma rules for all the IOCs released by CISA and the FBI. This resource is available for free to all our subscribers. If you are an existing subscriber, please complete the poll below to receive your free pdf. If you’re not already subscribed, please subscribe to receive a copy. By implementing these rules, you can significantly enhance your organization’s ability to detect and respond to Black Basta ransomware activity.

Conclusion

The Black Basta ransomware group represents a significant threat to organizations across various sectors. By staying informed and utilizing the IOCs and TTPs provided by CISA and the FBI, coupled with our Sigma rules, you can bolster your defenses against these sophisticated attacks.

Stay vigilant, and ensure your systems are equipped with the latest threat intelligence and detection capabilities.

For more information, you can refer to the official advisories from CISA and the FBI:

• CISA Black Basta Advisory

To receive your free PDF with the complete set of Sigma rules, subscribe to our newsletter or complete the poll above if you’re already subscribed.