What is Black Basta?
Researchers from Uptycs reported that Linux version of Black Basta ransomware is now actively targeting ESXi servers, previously targeting Windows systems. Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model. Double-extortion scheme works in the way that first malicious actors extort victims for cryptocurrency to decrypt their data that has been encrypted by the ransomware process. Then, they also demand payment to prevent business-critical or sensitive data from being leaked to the dark web.
The ransomware will append the .basta extension to the encrypted filenames and create ransom notes named readme.txt in each folder.
The ransomware will search for /vmfs/volumes
directory where the virtual machines are stored on ESXi server. Once the directory found, it starts to encrypt files present inside the volumes
folder. It looks like the software is using chacha20 algorithm as part of its encryption mechanism. That is probably to speed up the encryption process. Also it uses multithreading and utilize multiple processors to make encryption faster and harder to detect.
As per researchers, inside readme.txt file there is a link to the support panel, where the victim can negotiate options for file decryption.
How to protect your environment ?
There are few options for us to protect our virtual environments against not only ransomware software but all other malicious threads.
- Keep your strategic VM backed up. Yes, virtual machines. In the event of being a victim of ransomware, you can rebuild ESXi host and restore your VMs from backup.
- Have your network segmented. Always keep your ESXi hosts on the separate network form the network users browse the Internet.
- Disable SSH service.
- Keep your hosts in Lockdown mode.
Keeping services off and Lockdown mode on could be hard to police, especially if there are few administrators. Someone can change the settings for troubleshooting purposes and forget to put every security measure back in place.
Therefor today I am going to show you two short PowerShell scripts, to keep SSH off and Lockdown mode on. You can use them to build one script or run them separately as daily job to keep everything under control. In my case those two small scripts are part of one big script where I put all hardening recommendation.
$vmhosts = get-vmhost | where {$_.State -eq "Connected" -or $_.State -eq "Maintenance"}
#SSH
$ssh = $vmhosts | get-vmhostservice | where-object {$_.key -eq "TSM-SSH"}
$sshon = $ssh | where {$_.Running -eq "True"}
$sshon | stop-vmhostservice -confirm:$false
$sshon | set-vmhostservice -policy "Off" -Confirm:$false
#LOCKDOWN ESXI
$lockesx = get-vmhost
foreach ($lock in $lockesx) {
$HostAccessManager = Get-View $lock.ExtensionData.ConfigManager.HostAccessManager
$HostAccessManager.UpdateLockdownExceptions($null)
if (get-view $lock.extensiondata.configmanager.HostAccessManager | where lockdownmode -ne lockdownNormal) {
(get-vmhost $lock | get-view).EnterLockdownMode()
}
}
Please like and share to spread the knowledge in the community.
Subscribe to my channel : https://bit.ly/3vY16CT
If you want to chat with me please use Twitter: @AngrySysOps
Join my VMware Knowledge Base Group: https://bit.ly/3w54tbc
Visit my FB page: https://www.facebook.com/AngrySysOps
Read my blog: https://angrysysops.com
Subscribe to my channel : https://bit.ly/3vY16CT