How to detect Black Basta malware with Wazuh
Black Basta is a ransomware that emerged in April 2022, it mostly targets enterprises and businesses. The ransomware has been observed to append the .basta extension to encrypted files. Black Basta’s infiltration method has been reported to be primarily through phishing, torrent websites, and adware. The ransomware has two variants which include the Windows variant, and the VMWare ESXi variant.
The Windows variant of the malware targets the 32-bit and 64-bit versions of Windows XP, Vista, 7, 10, and 11 systems. After encryption, the wallpaper of the affected machine is changed, and a readme.txt note file is added to all directories on the infected machine. The note warns that if the ransom is not paid, the exfiltrated information will be leaked on the cyber criminals’ Tor network website. The message also contains a link to the Tor website where victims can communicate with the attackers.
Requirements
- An installed Wazuh server (version 4.3.6).
- A Windows 10 endpoint with the Wazuh agent installed. This is where the ransomware sample is executed.
Detection techniques
- Using VirusTotal integration to scan files.
- Using Wazuh detection rules.
Using VirusTotal integration to scan files
VirusTotal aggregates many antivirus products and online scan engines, offering an API that can be queried by using either URLs, IP addresses, domain names, or file hashes. The VirusTotal integration can automatically perform a request to the VirusTotal API with the hashes of files that are created or changed in any folder monitored with the Wazuh FIM module.
We configured the VirusTotal integration on the Wazuh manager and FIM to monitor Downloads directory using this guide. Alerts are generated on the Wazuh dashboard when the malware was added to the Downloads directory:
Using detection rules
Detecting Black Basta ransomware on an endpoint is achieved using Sysmon and writing Wazuh detection rules.
On the Windows endpoint:
To configure the Wazuh agent to capture enriched logs with Sysmon and send them to the Wazuh manager for analysis, we perform the following steps:
1. Download Sysmon from the Microsoft Sysinternals page.
2. Download the Sysmon configuration file.
3. Launch CMD as an administrator and install Sysmon using the command below:
Sysmon64.exe -accepteula -i sysmonconfig.xml
4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file to specify the location to collect Sysmon logs:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
5. Restart the Wazuh agent for changes to apply:
net stop wazuhsvc net start wazuhsvc
Below are some activities generated by Black Basta malware when it is executed:
- Dropped .ico and .jpg Black Basta files: When Blackbasta is executed, it is observed to download
dlaksjdoiwq.jpgandfkdjsadasd.icofiles to theAppdata\Tempdirectory of an infected system. - Shadow copy deletion: Upon execution, Black Basta malware runs a terminal and passes a command to delete shadow copies on an infected endpoint using
vssadmin.exe. Shadow copy also known as (VSS or Volume Snapshot Service) is used to create backup copies or snapshots of system files and volumes, This makes it a major target by ransomware groups to inhibit system recovery (T1490). - Creation of readme.txt files: We also observed that the Black Basta malware created a
readme.txtfile in all directories on the infected machine. Thereadme.txtfile contains a Black Basta note with the URL to a Tor site where victims can interact and negotiate with its operators. - Defense evasion: Lastly, the malware disables security monitoring agents on the affected endpoint. This step has been observed to be the last step of the malware intrusion and this also affects the Wazuh agent.
Wazuh provides a means of detecting threats and anomalies on an endpoint based on its artifacts. This section covers Wazuh rules created to detect Black Basta ransomware using the techniques, tactics and procedures (TTPs) of the malware that have been reported by security researchers. The rules below were added to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh manager.
- Rule
100010will detect when Black Basta wallpaper files:dlaksjdoiwq.jpgandfkdjsadasd.icoare created on the endpoint. - Rule
100012was added to detect the deletion of the shadow copy on the endpoint usingvssadmin.exe. - Rules
100013and100014were created to detect when multiplereadme.txtfiles are added to theProgramDatadirectory in a short timeframe.
<group name="blackbasta,">
<rule id="100010" level="3">
<if_sid>61613</if_sid>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)(\\\\Temp\\\\dlaksjdoiwq.jpg|\\\\Temp\\\\fkdjsadasd.ico)</field>
<description>The file $(win.eventdata.targetFilename) which has been associated with black basta malware was created in the TEMP directory. Possible Black basta ransomware activity.</description>
</rule>
<rule id="100012" level="5">
<if_sid>61603</if_sid>
<field name="win.eventdata.commandLine" type="pcre2">(?i)vssadmin.exe.+delete.+shadows</field>
<description>Vssadmin.exe was used to delete a shadow copy. Possible ransomware activity.</description>
</rule>
<rule id="100013" level="3">
<if_sid>61613</if_sid>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:(\\\\programdata\\.+readme\.txt)</field>
<description>The file $(win.eventdata.targetFilename) was created.</description>
</rule>
<rule id="100014" level="15" timeframe="100" frequency="2">
<if_matched_sid>100013</if_matched_sid>
<description>Readme.txt file has been created in multiple system directories in a short timeframe. Possible ransomware activity.</description>
</rule>
</group>
Once the rules have been added, we restart the Wazuh manager to apply the changes using the command below:
sudo systemctl restart wazuh-manager
Detection results
Wazuh detection rules were implemented for this simulation and below are the alerts generated on the Wazuh dashboard.
Conclusion
This article demonstrates how to detect Black Basta ransomware using Wazuh. We illustrated how to use the Wazuh FIM module and custom rules to detect Black Basta ransomware and its activities.