FIN7, a financially motivated cybercrime organization that is estimated to have stolen well over $1.2 billion since surfacing in 2012, is behind Black Basta, one of this year's most prolific ransomware families.
That's the conclusion of researchers at SentinelOne based on what they say are various similarities in the tactics, techniques, and procedures between the Black Basta campaign and previous FIN7 campaigns. Among them are similarities in a tool for evading endpoint detection and response (EDR) products; similarities in packers for packing Cobalt Strike beacon and a backdoor called Birddog; source code overlaps; and overlapping IP addresses and hosting infrastructure.
A Collection of Custom Tools
SentinelOne's investigation into Black Basta's activities also unearthed new information about the threat actor's attack methods and tools. For example, the researchers found that in many Black Basta attacks, the threat actors use a uniquely obfuscated version of the free command-line tool ADFind for gathering information about a victim's Active Directory environment.
They found Black Basta operators are exploiting last year's PrintNightmare vulnerability in Windows Print Spooler service (CVE-2021-34527) and the ZeroLogon flaw from 2020 in Windows Netlogon Remote Protocol (CVE-2020-1472) in many campaigns. Both vulnerabilities give attackers a way to gain administrative access on domain controllers. SentinelOne said it also observed Black Basta attacks leveraging "NoPac," an exploit that combines two critical Active Directory design flaws from last year (CVE-2021-42278 and CVE-2021-42287). Attackers can use the exploit to escalate privileges from that of a regular domain user all the way to domain administrator.
SentinelOne, which began tracking Black Basta in June, observed the infection chain beginning with the Qakbot Trojan-turned-malware dropper. Researchers found the threat actor using the backdoor to conduct reconnaissance on the victim network using a variety of tools including AdFind, two custom .Net assemblies, SoftPerfect's network scanner, and WMI. It's after that stage that the threat actor attempts to exploit the various Windows vulnerabilities to move laterally, escalate privileges, and eventually drop the ransomware. Trend Micro earlier this year identified the Qakbot group as selling access to compromised networks to Black Basta and other ransomware operators.
"We assess it is highly likely the Black Basta ransomware operation has ties with FIN7," SentinelOne's SentinelLabs said in a blog post on Nov. 3. "Furthermore, we assess it is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7."
Sophisticated Ransomware Threat
The Black Basta ransomware operation surfaced in April 2022 and has claimed at least 90 victims through the end of September. Trend Micro has described the ransomware as having a sophisticated encryption routine that likely uses unique binaries for each of its victims. Many of its attacks have involved a double-extortion technique where the threat actors first exfiltrate sensitive data from a victim environment before encrypting it.
In the third quarter of 2022, Black Basta ransomware infections accounted for 9% of all ransomware victims, putting it in second place behind LockBit, which continued by far to be the most prevalent ransomware threat — with a 35% share of all victims, according to data from Digital Shadows.
"Digital Shadows has observed the Black Basta ransomware operation targeting the industrial goods and services industry, including manufacturing, more than any other sector," says Nicole Hoffman, senior cyber-threat intelligence analyst, at Digital Shadows, a ReliaQuest company. "The construction and materials sector follows close behind as the second most targeted industry to date by the ransomware operation."
FIN7 has been a thorn in the side of the security industry for a decade. The group's initial attacks focused on credit and debit card data theft. But over the years, FIN7, which has also been tracked as the Carbanak Group and Cobalt Group, has diversified into other cybercrime operations as well, including most recently into the ransomware realm. Several vendors — including Digital Shadows — have suspected FIN7 of having links to multiple ransomware groups, including REvil, Ryuk, DarkSide, BlackMatter, and ALPHV.
"So, it would not be surprising to see yet another potential association," this time with FIN7, Hoffman says. "However, it is important to note that linking two threat groups together does not always mean that one group is running the show. It is realistically possible the groups are working together."
According to SentinelLabs, some of the tools that the Black Basta operation uses in its attacks suggest that FIN7 is attempting to disassociate its new ransomware activity from the old. One such tool is a custom defense-evasion and impairment tool that appears to have been written by a FIN7 developer and has not been observed in any other ransomware operation, SentinelOne said.