Among the most active and rapidly spreading ransomware in 2022 was Black Basta. It was first detected in April 2022 and victimized nearly 100 organizations in North America, Europe, and Asia by September that same year. As a ransomware-as-a-service (RaaS) malware, Black Basta employs double extortion to force victims to pay the ransom. Aside from data encryption, the threat actors exfiltrated the victims’ data and threatened to release it if they wouldn’t pay.

ExtraHop expert Josh Snow recently demonstrated how to detect Black Basta ransomware, inspiring WhoisXML API researchers to investigate and expand the threat’s indicators of compromise (IoCs). From 5 domains and 51 IP addresses tagged as IoCs, we found the following:

• 980 domains sharing the IoCs’ name servers and WHOIS ownership details
• 18 domains hosted on the IP addresses tagged as IoCs
• Possible connections to malware distribution campaigns disguised as courier websites and OneNote documents
• 14% of the courier-related domains sharing a malicious domain’s name servers were also flagged as malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Threat Investigation: Providing Context to the IoCs

We began by uncovering patterns and common characteristics among the domains and IP addresses tagged as Black Basta ransomware IoCs.

Based on WHOIS history lookup results, we determined that all five domain IoCs from SentinelOne had redacted WHOIS records—three of them used WhoisSecure as their privacy protection provider. Most of the domains indicated OwnRegistrar, Inc. as their registrar and used the same name server provider (Cloudflare). Their registration dates were also similar, with four created sometime in June 2022. We tabulated these commonalities below.

The rest of the IoCs were IP addresses listed by SentinelOne and Trend Micro, which we subjected to a bulk IP geolocation lookup that revealed the following:

• 30 of the 51 IP addresses tagged as IoCs had active resolutions as of this writing.
• The top IP geolocation countries were the Netherlands, Germany, Romania, and the U.K.
• The top ISPs were Bunea Telecom SRL; Panamaserver.com; The Constant Company, LLC; and Stark Industries Solutions Ltd.

IoC Expansion: Mapping Out WHOIS and IP Connections

We used the contextual information above to find connected domains that could be considered Black Basta ransomware artifacts.

Reverse WHOIS searches for the IoCs resulted in the discovery of 980 artifacts, more than 50% of which were added between 1 January and 15 March 2023 and currently shared one of the IoCs’ name servers and registrant countries.

Another IoC’s name server lookup yielded only 60 connected domains, revealing the possibility that its infrastructure is not publicly shared and is potentially malicious. The same could be said for the IP addresses tagged as IoCs. Despite running 51 IP addresses on Reverse IP Lookup, we only uncovered 18 connected domains.

A bulk IP geolocation lookup for all the artifacts also yielded interesting results. Out of almost 1,000 domains, 64% had active resolutions, 19 of which were hosted on the IP addresses tagged as IoCs, telling us that some malicious properties remained active.

Furthermore, about 95% of the resolutions were geolocated in countries where the IoCs were also geolocated. These are plotted in the following chart.

Artifact Investigation: Finding Related Threats

We then sought to find out how the connected domains were used. A bulk malware check led to the discovery of 13 malicious artifacts, the most notable of which is a domain mimicking OneNote. Previous security investigations tied Black Basta to Qbot, a malware family recently seen distributed through fake OneNote documents.

Other malicious domains imitated postal and courier services. One domain seemingly targeted the Australian Post, while others contained the strings post and parcel. While these courier-related malicious domains no longer resolved, we found an unflagged artifact that continued to host a parcel-tracking website.

Screenshot of parceltracking[.]express

Some of the malicious domains also hosted live content. Below are some examples.

Exploring Fake Parcels

Black Basta ransomware threat actors were seen using phishing and spearphishing to gain initial access to victim systems, notably mimicking Qbot’s technique, particularly disguising malware as OneNote documents.

Since we tackled malware distribution through OneNote in a recent threat report, we dedicate this part to digging deeper into parcel-themed malicious and suspicious domains.

Since checkparcel[.]org (artifact flagged as malicious) and parceltracking[.]express (unflagged artifact) shared the same name servers, we ran a reverse WHOIS search and included the strings post and parcel as search terms. We found 259 domains, 14% of which were reported to be malicious.

Most of these flagged domains were cybersquatting properties targeting postal and courier services in North America, Europe, and Asia, including the following:

• Australian Post
• Canada Post
• Chronopost
• Postage Depot
• Posten Norge
• U.S. Postal Service (USPS)

Detecting Black Basta ransomware IoCs is an urgent concern for the cybersecurity community, especially since it can shut down endpoint detection and response (EDR) solutions. These IoCs could be part of a more extensive malicious infrastructure, and expanding them to uncover additional artifacts can help protect organizations from web properties that the threat actors may have created but haven’t deployed yet.

Our investigation led us to more than 1,200 yet-unreported artifacts, dozens of which had already figured in malicious campaigns, and even more appeared suspicious.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.