Uptycs Threat Research analysts revealed in a recent report that ransomware gang Black Basta has created ransomware binaries specifically targeting VMWare ESXi virtual machines which run on Linux servers.
Most groups which are involved in enterprise ransomware attacks have zeroed in on ESXi virtual machines, because targeting these virtual machines enables ransomware groups to encrypt multiple servers more quickly, using only a single command, according to reports.
As several corporations are undergoing digital transformation of their workspace and migrating to virtual machines, which grants them easier device management and more efficient resource usage, they also become more vulnerable to encryption attacks by ransomware groups, according to industry watchers.
Attacks Ramped Up in April
Although Linux ransomware encryptors have previously been released by other ransomware gangs, a report by Uptycs Threat Research highlighted that Black Basta ransomware was found to be actively targeting companies’ ESXi servers and Windows servers in mid-April.
Black Basta’s ransomware binary operates similarly to other Linux encryptors, searching for /vmfs/ where companies store their virtual machines on compromised ESXi servers. When the binary succeeds in finding a /vmfs/ folder, it then uses the ChaCha20 algorithm to encrypt the files, making use of multithreading to use multiple processors, hence speeding up the encryption process.
During the encryption process, the ransomware will append the .basta extension to the encrypted files’ names. BleepingComputer simulated the encryption binaries used by Black Basta to create ransom notes named readme.txt in each folder, including a link to a chat support panel, and a unique ID for each victim to communicate with the attackers for the ransom demands (see figure below).
Notably, even though Black Basta appears to be a new ransomware gang which only recently emerged in April, BleepingComputer speculates that Black Basta’s encryption operation is not newly developed.
Instead, the Black Basta ransomware group is likely a rebrand of the Conti ransomware operation, since both operations demonstrate the ability to breach new victims swiftly, and have similar styles of negotiation.
Black Basta Strikes After Conti Rebranding
In April and May 2022, threat intelligence vendor AdvIntel traced the Conti ransomware group’s activity, finding that the group was undergoing rebranding as several other ransomware groups and subsidiaries.
After declaring public support for Russia’s invasion of Ukraine in February 2022, Conti ransomware group suffered major leaks and was targeted by the US government, who sought to clamp down on ransom payments to Conti. For instance, after Conti conducted a major attack against the Costa Rican government, the US government prevented Conti from receiving the ransom money it had demanded. The US had threatened to impose sanctions on any company which made ransom payments to Conti.
AdvIntel researchers Yelisey Boguslavskiy and Vitali Kremez observed that Conti’s rebranding was necessary to enable the group to continue extorting money from its victims. Conti used pre-existing subsidiaries and subdivisions—including Black Basta—to rebrand itself under several new groups, before officially “performing its own death” as Conti.
The latest string of ransomware attacks by Black Basta should not be taken in isolation. Instead, these attacks reveal Conti’s success in rebranding and extorting ransoms from its victims once more, signaling that Conti remains a significant threat, even under disguise in its rebranded forms.
