Black Basta ransomware encrypts user data using a combination of AES + RSA algorithms and then demands its victims to contact them via their tor site for ransom negotiations. The operators has claimed responsibility for the attack on the American Dental Association (ADA) and release a chunk of 2.8 GB of stolen data so far.
Upon execution it
- Replaces the desktop wallpaper image with the text "Your network is encrypted and you need to read the readme.txt file".
- Reboots the computer using the Shutdown function with attributes (shutdown -r -f -t 0).
- System boots in safe mode (Safe Mode), and encrypted files receive a special icon.
- Deletes shadow copies of files, disables the Windows repair and repair functions at the boot stage.
- Changes the appearance of encrypted files with native ico file.
- Encrypted files are appended with the extension: .basta The ransom.
Black Basta Ransom Note
Black Basta Ransomware Signatures
Black Basta Ransomware Download