Heimdal
article featured image

Contents:

ABB, a leading provider of electrification and automation technology, has been hit by a Black Basta ransomware attack, which has reportedly affected business operations.

As part of its services, ABB develops industrial control systems (ICS) and SCADA systems for manufacturers and energy suppliers. The company has approximately 105,000 employees and is expected to generate $29.4 billion in revenue in 2022. Volvo, Hitachi, DS Smith, the City of Nashville, and the City of Zaragoza are among the company’s customers.

According to the company’s website, “ABB operates more than 40 U.S. based engineering, manufacturing, research, and service facilities with a proven track record serving a diversity of federal agencies.” These agencies include the U.S. Army Corps of Engineers and the U.S. Departments of Defense, Transportation, Energy, the Coast Guard, and the Postal Service.

What Happened?

On May 7th, ABB fell victim to a ransomware attack led by the Black Basta, a ransomware gang that has been active since April 2022.

The breach affected their Windows Active Directory and hundreds of their devices. Anonymous sources confirmed for Bleeping Computer that the attack has caused significant disruption to ABB’s operations and projects, and impacted its factories.

After initially declining to comment on the news, ABB sent the following statement to Bleeping Computer:

ABB recently detected an IT security incident that directly affected certain locations and systems. To address the situation, ABB has taken, and continues to take, measures to contain the incident. Such containment measures have resulted in some disruptions to its operations which the company is addressing.

The vast majority of its systems and factories are now up and running and ABB continues to serve its customers in a secure manner. ABB continues to work diligently with its customers and partners to resolve this situation and minimize its impact.

Source

Black Basta Ransomware

The infamous Black Basta ransomware gang stepped onto the stage in April 2022, with their ransomware-as-a-Service (RaaS).

In no time at all, they had already begun conducting double extortion attacks on multiple corporate victims.

Black Basta

Source

By June 2022, Black Basta had partnered with the QBot malware operation (QakBot) dropping Cobalt Strike on infected devices. From there, the hacker group used it to gain access and spread through corporate networks.

They also developed a Linux encryptor aiming at VMware ESXi virtual machines running on Linux servers, similar to other ransomware threats targeting businesses. Their links to the financially-motivated cybercrime organization FIN7 (Carbanak) have been noted by security researchers.

Since its appearance, Black Basta has maliciously infiltrated entities such as American Dental Association, Sobeys, Knauf and Yellow Pages Canada.

Most recently they attacked Capita – UK’s largest outsourcing company, and started leaking stolen info.

Technical Analysis

Advanced forensics performed on FOSO BlackBasta sample revealed the following information.

Behavioral analysis (via Hatching Triage)

  • Interacts with shadow copies;
  • Modifies registry class;
  • Suspicious use of AdjustPrivilegeToken;
  • Suspicious use of WriteProcessMemory;
  • Uses Volume Shadow Copy service COM API;
  • Drops file in Program Files directory;
  • Adds Run key to start application;
  • Modifies extensions of user files;
  • Deletes shadow copies;
  • Renames multiple (3088) files with added filename extension.

In-depth BlackBasta lifecycle analysis, by process-calling and associated operations (via Joe Sandbox)

  • Detected unpacking (creates a PE file in dynamic memory);
  • Found ransom note / readme;
  • Found Tor onion address;
  • Infects executable files (exe, dll, sys, html);
  • Machine Learning detection for sample;
  • May disable shadow drive data (uses vssadmin);
  • Multi AV Scanner detection for submitted file;
  • Writes a notice file (html or txt) to demand a ransom;
  • Writes many files with high entropy.

Signature (via CAPE Sandbox)

  • SetUnhandledExceptionFilter detected (possible anti-debug);
  • Possible date expiration check, exits too soon after checking local time;
  • A process attempted to delay the analysis task;
  • Dynamic (imported) function loading detected;
  • Creates RWX memory;
  • Uses Windows utilities for basic functionality;
  • Exhibits possible ransomware or wiper file modification behavior: mass_file_deletion;
  • Likely virus infection of existing system binary;
  • Attempts to delete or modify volume shadow copies;
  • Harvests credentials from local FTP client softwares;
  • Uses suspicious command line tools or Windows utilities;
  • Yara rule detections observed from a process memory dump/dropped files/CAPE.

MITRE ATT&CK Matrix for BlackBasta (via Any.Run)

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral Movement CollectionC& C ExfiltrationImpact
Command & Scripting Interpreter N/AN/AN/AN/AUnsecured credentialsSoftware discoveryN/AN/AN/AN/AData encryption
Windows Command Shell Credentials in filesQuery registerInhibit system recovery.
Steal web session cookiesSystem information discovery
Credentials from password stores;
Credentials from web browsers

Top 10 Memory Dumps (via Joe’s Sandbox)

Base AddressTypeProtect
34E0000direct allocationpage read and write
3220000direct allocationpage execute and read
3600000direct allocationpage execute and read
14EC000heappage read and write
1535000heappage read and write
14A1000heappage read and write
169B4100000trusted library allocationpage read and write
148E000heappage read and write
150D000heappage read and write
153D000heappage read and write

Measures to Prevent Ransomware

To protect against ransomware attacks like Black Basta’s, cyber security specialists recommend the following measures:

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Author Profile

Madalina Popovici

Digital PR Specialist

linkedin icon

Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE