|
Among the most active and rapidly spreading ransomware in 2022 was Black Basta. It was first detected in April 2022 and victimized nearly 100 organizations in North America, Europe, and Asia by September that same year. As a ransomware-as-a-service (RaaS) malware, Black Basta employs double extortion to force victims to pay the ransom. Aside from data encryption, the threat actors exfiltrated the victims’ data and threatened to release it if they wouldn’t pay.
ExtraHop expert Josh Snow recently demonstrated how to detect Black Basta ransomware, inspiring WhoisXML API researchers to investigate and expand the threat’s indicators of compromise (IoCs). From 5 domains and 51 IP addresses tagged as IoCs, we found the following:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began by uncovering patterns and common characteristics among the domains and IP addresses tagged as Black Basta ransomware IoCs.
Based on WHOIS history lookup results, we determined that all five domain IoCs from SentinelOne had redacted WHOIS records—three of them used WhoisSecure as their privacy protection provider. Most of the domains indicated OwnRegistrar, Inc. as their registrar and used the same name server provider (Cloudflare). Their registration dates were also similar, with four created sometime in June 2022. We tabulated these commonalities below.
WHOIS Data Point | Common WHOIS Record IoCs |
---|---|
Registrant contact detail | WhoisSecure |
Name servers | *****[.]ns[.]cloudflare[.]com | *****hine[.]ns[.]cloudflare[.]com ****[.]ns[.]cloudflare[.]com | ****[.]ns[.]cloudflare[.]com *****[.]njalla[.]no |*****[.]njalla[.]in | *****[.]njalla[.]fo |
Registrar | OwnRegistrar, Inc. |
Creation date | June 2022 |
The rest of the IoCs were IP addresses listed by SentinelOne and Trend Micro, which we subjected to a bulk IP geolocation lookup that revealed the following:
We used the contextual information above to find connected domains that could be considered Black Basta ransomware artifacts.
Reverse WHOIS searches for the IoCs resulted in the discovery of 980 artifacts, more than 50% of which were added between 1 January and 15 March 2023 and currently shared one of the IoCs’ name servers and registrant countries.
Another IoC’s name server lookup yielded only 60 connected domains, revealing the possibility that its infrastructure is not publicly shared and is potentially malicious. The same could be said for the IP addresses tagged as IoCs. Despite running 51 IP addresses on Reverse IP Lookup, we only uncovered 18 connected domains.
A bulk IP geolocation lookup for all the artifacts also yielded interesting results. Out of almost 1,000 domains, 64% had active resolutions, 19 of which were hosted on the IP addresses tagged as IoCs, telling us that some malicious properties remained active.
Furthermore, about 95% of the resolutions were geolocated in countries where the IoCs were also geolocated. These are plotted in the following chart.
We then sought to find out how the connected domains were used. A bulk malware check led to the discovery of 13 malicious artifacts, the most notable of which is a domain mimicking OneNote. Previous security investigations tied Black Basta to Qbot, a malware family recently seen distributed through fake OneNote documents.
Other malicious domains imitated postal and courier services. One domain seemingly targeted the Australian Post, while others contained the strings post and parcel. While these courier-related malicious domains no longer resolved, we found an unflagged artifact that continued to host a parcel-tracking website.
Screenshot of parceltracking[.]express
Some of the malicious domains also hosted live content. Below are some examples.
Black Basta ransomware threat actors were seen using phishing and spearphishing to gain initial access to victim systems, notably mimicking Qbot’s technique, particularly disguising malware as OneNote documents.
Since we tackled malware distribution through OneNote in a recent threat report, we dedicate this part to digging deeper into parcel-themed malicious and suspicious domains.
Since checkparcel[.]org (artifact flagged as malicious) and parceltracking[.]express (unflagged artifact) shared the same name servers, we ran a reverse WHOIS search and included the strings post and parcel as search terms. We found 259 domains, 14% of which were reported to be malicious.
Most of these flagged domains were cybersquatting properties targeting postal and courier services in North America, Europe, and Asia, including the following:
Detecting Black Basta ransomware IoCs is an urgent concern for the cybersecurity community, especially since it can shut down endpoint detection and response (EDR) solutions. These IoCs could be part of a more extensive malicious infrastructure, and expanding them to uncover additional artifacts can help protect organizations from web properties that the threat actors may have created but haven’t deployed yet.
Our investigation led us to more than 1,200 yet-unreported artifacts, dozens of which had already figured in malicious campaigns, and even more appeared suspicious.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byRadix