Black Basta Ransomware Group Exploits Windows Zero-Day for Administrator Access

By /

Listen to this Post

The Black Basta ransomware group has been exploiting a zero-day vulnerability in Windows to gain administrator access for several months, as revealed in chat logs. This highlights the urgent need to dismantle the ransomware economy cycle. For more details, visit: https://lnkd.in/d66cZVF4

Practice-Verified Commands and Codes

1. Detecting Unauthorized Administrator Access on Windows:

Get-EventLog -LogName Security | Where-Object {$<em>.EventID -eq 4624 -and $</em>.Message -match "Administrator"}

2. Blocking Suspicious IPs on Linux:

sudo iptables -A INPUT -s <suspicious-IP> -j DROP

3. Scanning for Vulnerabilities with Nmap:

nmap --script vuln <target-IP>

4. Monitoring Ransomware Activity with Sysmon:

<Sysmon schemaversion="4.81">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="contains">ransomware</Image>
</ProcessCreate>
</RuleGroup>
</EventFiltering>
</Sysmon>

5. Disabling SMBv1 to Prevent Exploitation:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

6. Backup Critical Data with Rsync on Linux:

rsync -av --progress /critical-data /backup-location

7. Enabling Windows Defender Real-Time Protection:

Set-MpPreference -DisableRealtimeMonitoring $false

8. Analyzing Ransomware Logs with Grep:

grep -i "ransomware" /var/log/syslog

9. Restricting Admin Access with Group Policy:

gpupdate /force

10. Creating a Snapshot of System State:

sudo timeshift --create --comments "Pre-ransomware snapshot"

What Undercode Say

The exploitation of zero-day vulnerabilities by ransomware groups like Black Basta underscores the critical need for robust cybersecurity measures. To combat such threats, it is essential to implement proactive defense strategies, including regular system updates, vulnerability scanning, and strict access controls. Utilizing tools like Sysmon for real-time monitoring and Nmap for vulnerability assessment can significantly enhance your security posture. Additionally, disabling outdated protocols like SMBv1 and enabling real-time protection with Windows Defender can mitigate potential attack vectors. Regular backups, using tools like Rsync, ensure data recovery in case of an attack. By understanding and disrupting the ransomware economy cycle, we can collectively reduce the impact of these malicious activities. For further reading on ransomware prevention, visit: https://www.cisa.gov/stopransomware.

References:

initially reported by: https://www.linkedin.com/posts/kevin-beaumont-security_i-discovered-black-basta-ransomware-group-activity-7302382992339996673-ySYx – Hackers Feeds
Extra Hub:
Undercode AIFeatured Image

Related Posts: