Today > vulnerabilities   -   You can now download lists of IOCs here!

StopRansomware: Black Basta

May 13, 2024, 10 a.m.

Tags
phishing
ransomware
exfiltration
encryption
2024-05-08
qakbot
qbot
CVE-2020-1472
quackbot
pinkslipbot
CVE-2024-1709
healthcare
CVE-2021-34527
CVE-2021-42278
CVE-2021-42287
2024-05-09
2024-05-10
2024-05-13
External References
Description

This advisory details tactics, techniques, procedures and indicators of compromise related to Black Basta ransomware, a variant first identified in April 2022. Its affiliates have impacted over 500 organizations globally across multiple critical infrastructure sectors, including Healthcare and Public Health. They gain initial access through phishing and exploiting vulnerabilities, employ double extortion tactics with data exfiltration and encryption, and leverage various tools for lateral movement and privilege escalation. The advisory provides mitigations and recommendations for organizations to protect against this threat.

Date

Published: May 13, 2024, 9:31 a.m.

Created: May 13, 2024, 9:31 a.m.

Modified: May 13, 2024, 10 a.m.

Indicators

fff35c2da67eef6f1a10c585b427ac32e7f06f4e4460542207abcd62264e435f

fafaff3d665b26b5c057e64b4238980589deb0dff0501497ac50be1bc91b3e08

f21240e0bf9f0a391d514e34d4fa24ecb997d939379d2260ebce7c693e55f061

f039eaaced72618eaba699d2985f9e10d252ac5fe85d609c217b45bc8c3614f4

e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757

df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415

d73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464d

d503090431fdd99c9df3451d9b73c5737c79eda6eb80c148b8dc71e84623401f

d3683beca3a40574e5fd68d30451137e4a8bbaca8c428ebb781d565d6a70385e

d15bfbc181aac8ce9faa05c2063ef4695c09b718596f43edc81ca02ef03110d1

c26a5cb62a78c467cc6b6867c7093fbb7b1a96d92121d4d6c3f0557ef9c881e0

b6a4f4097367d9c124f51154d8750ea036a812d5badde0baf9c5f183bb53dd24

b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9

ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e

acb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8f

a7b36482ba5bca7a143a795074c432ed627d6afa5bc64de97fa660faa852f1a6

9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc

96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be

90ba27750a04d1308115fa6a90f36503398a8f528c974c5adc07ae8a6cd630e7

8c68b2a794ba3d148cae91bdf9c8d357289752a94118b5558418a36d95a5a45f

88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc

882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3

86a4dd6be867846b251460d2a0874e6413589878d27f2c4482b54cec134cc737

8501e14ee6ee142122746333b936c9ab0fc541328f37b5612b6804e6cdc2c2c6

819cb9bcf62be7666db5666a693524070b0df589c58309b067191b30480b0c3a

808c96cb90b7de7792a827c6946ff48123802959635a23bf9d98478ae6a259f9

723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224

7ad4324ea241782ea859af12094f89f9a182236542627e95b6416c8fb9757c59

69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944

5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa

62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087

5b2178c7a0fd69ab00cef041f446e04098bbb397946eda3f6755f9d94d53c221

5942143614d8ed34567ea472c2b819777edd25c00b3e1b13b1ae98d7f9e28d43

58ddbea084ce18cfb3439219ebcf2fc5c1605d2f6271610b1c7af77b8d0484bd

51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e

4ac69411ed124da06ad66ee8bfbcea2f593b5b199a2c38496e1ee24f9d04f34a

462bbb8fd7be98129aa73efa91e2d88fa9cafc7b47431b8227d1957f5d0c8ba7

42f05f5d4a2617b7ae0bc601dd6c053bf974f9a337a8fcc51f9338b108811b78

3c65da7f7bfdaf9acc6445abbedd9c4e927d37bb9e3629f34afc338058680407

3c50f6369f0938f42d47db29a1f398e754acb2a8d96fd4b366246ac2ccbe250a

3a8fc07cadc08eeb8be342452636a754158403c3d4ebff379a4ae66f8298d9a6

39939eacfbc20a2607064994497e3e886c90cd97b25926478434f46c95bd8ead

37a5cd265f7f555f2fe320a68d70553b7aa9601981212921d1ac2c114e662004

360c9c8f0a62010d455f35588ef27817ad35c715a5f291e43449ce6cb1986b98

350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd

3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622a

3090a37e591554d7406107df87b3dc21bda059df0bc66244e8abef6a5678af35

1c1b2d7f790750d60a14bd661dae5c5565f00c6ca7d03d062adcecda807e1779

17879ed48c2a2e324d4f5175112f51b75f4a8ab100b8833c82e6ddb7cd817f20

17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90

0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e

07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799

05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431

0554eb2ffa3582b000d558b6950ec60e876f1259c41acff2eac47ab78a53e94a

034b5fe047920b2ae9493451623633b14a85176f5eea0c7aadc110ea1730ee79

0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298

95.181.173.227

83.243.40.10

80.239.207.200

64.176.219.106

5.78.115.67

207.126.152.242

185.7.214.79

185.219.221.136

183.181.86.147

155.138.246.122

88.198.198.90

46.161.27.151

116.203.186.178

xkpal.d6597fa.dns.blocktoday.net

xkpal.1a4a64b6.dns.blocktoday.net

nuher.3577125d2a75f6a277fc5714ff536c5c6af5283d928a66daad6825b9a.7aaf8bba88534e88ec89251c57b01b322c7f52c7f1a5338930ae2a50.cbb47411f60fe58f76cf79d300c03bdecfb9e83379f59d80b8494951.e10c20f77.7fcc0eb6.dns.blocktoday.net

nuher.1d67bbcf4.456d87aa6.2d84dfba.dns.specialdrills.com

my.2a91c002002.588027fa.dns.realbumblebee.net

fy9.39d9030e5d3a8e2352daae2f4cd3c417b36f64c6644a783b9629147a1.afd8b8a4615358e0313bad8c544a1af0d8efcec0e8056c2c8eee96c7.b06d1825c0247387e38851b06be0272b0bd619b7c9636bc17b09aa70.a46890f27.588027fa.dns.realbumblebee.net

dns.trailshop.net

fy9.36c44903529fa273afff3c9b7ef323432e223d22ae1d625c4a3957d57.015c16eff32356bf566c4fd3590c6ff9b2f6e8c587444ecbfc4bcae7.f71995aff9e6f22f8daffe9d2ad9050abc928b8f93bb0d42682fd3c3.445de2118.588027fa.dns.realbumblebee.net

dns.artspathgroupe.net

0gpw.588027fa.dns.realbumblebee.net

wipresolutions.com

winklen.ch

webnubee.com

usaglobalnews.com

trailcosolutions.com

trailshop.net

trailcocompany.com

trackgroup.net

topglobaltv.com

tomlawcenter.com

thetrailbig.net

thesmartcloudusa.com

technologgies.com

startupmartec.net

startupbuss.com

specialdrills.com

simorten.com

securecloudmanage.com

recentbeelive.com

recentbee.net

rasapool.net

realbumblebee.net

protectionek.com

otxcarecosmetics.com

otxcosmeticscare.com

ontexcare.com

oneblackwood.com

onedogsclub.com

myfinancialexperts.com

nebraska-lawyers.com

modernbeem.net

magentoengineers.com

limitedtoday.com

kekeoamigo.com

jenshol.com

investrealtydom.net

investmentgblog.net

currentbee.net

consulheartinc.com

childrensdolls.com

buygreenstudio.com

buyblocknow.com

businessprofessionalllc.com

artstrailreviews.com

artstrailman.com

artspathgroupe.net

artspathgroup.net

adslsdfdsfmo.world

wellsystemte.net

withclier.com

welausystem.net

unougn.com

wardeli.com

unitedfrom.com

treeauwin.net

trailgroupl.net

taskthebox.net

stockinvestlab.net

steamteamdev.net

startuptechnologyw.net

startupbusiness24.net

startupbizaud.net

softradar.net

septcntr.com

seohomee.com

reelsysmoona.net

prettyanimals.net

mytrailinvest.net

monitorsystem.net

monitor-websystem.net

masterunix.net

maluisepaul.com

kolinileas.com

karmafisker.com

jessvisser.com

ionoslaba.com

investmentrealtyhp.net

investmendvisor.net

getfnewssolutions.com

getfnewsolutions.com

gartenlofti.com

garbagemoval.com

erihudeg.com

constrtionfirst.com

cloudworldst.net

clearsystemwo.net

caspercan.com

businesforhome.com

brendonline.com

bluenetworking.net

auuditoe.com

audsystemecll.net

animalsfast.net

allcompanycenter.com

airbusco.net

Download all indicators here!

Attack Patterns

QuackBot

Pinkslipbot

QakBot - S0650

QBot

Black Basta

T1490

T1059.001

T1562.001

T1486

T1036

T1566

T1190

T1068

CVE-2021-42287

CVE-2021-42278

CVE-2024-1709

CVE-2021-34527

CVE-2020-1472

Additional Informations

Public Health

Healthcare