Black Basta Ransomware Gang Exploits Microsoft Windows Zero-Day


June 13, 2024

World map

Black Basta ransomware operators exploited a privilege escalation bug in the Microsoft Windows Error Reporting Service (CVE-2024-26169), and there is evidence they may have been targeting the zero-day prior to a patch being released in March.

"The exploit takes advantage of this to create a 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe' registry key where it sets the 'Debugger' value as its own executable pathname. This allows the exploit to start a shell with administrative privileges,” The Hacker News reports.

"The threat actor uses Teams to send messages and initiate calls in an attempt to impersonate IT or help desk personnel," Microsoft said. "This activity leads to Quick Assist misuse, followed by credential theft using EvilProxy, execution of batch scripts, and use of SystemBC for persistence and command-and-control."

Takeaway: Attackers are getting more efficient at exploiting both known and unknown vulnerabilities, and this trend is likely to escalate as threat actors automate earlier stages of their attack sequences.

Nowhere was this more evident than in the continued exploitation of a vulnerability in the MOVEit managed file transfer software (CVE-2023-34362) the Cl0p ransomware gang had used to compromise between 1000 and as many as 8,000 victims in rapid succession in 2023.

The wave of attacks followed another earlier in the year where Cl0p successfully compromised more than a hundred targets by exploiting a bug in the GoAnywhere file transfer tool.

Overall, the marked increase in the exploitation of vulnerabilities by ransomware gangs – particularly zero-days - is evidence that criminal actors are increasingly using more complex tactics usually seen in state-supported operations versus the random ‘spray and pray’ ransomware attacks of the past.

Mass exploitation of vulnerabilities like MOVEit are also evidence that ransomware gangs are increasingly leveraging automation to identify and target exposed organizations who have not patched against known vulnerabilities, which is why we are seeing so many new victims.

The bad news is that as attackers are getting more proficient at automating aspects of the attack progression by exploiting known vulnerabilities for initial access, improving stealthy payload delivery, fine tuning evasion techniques, and exponentially improving encryption speeds, we will likely continue to see an escalation in attacks.

The good news is that many of these attacks leverage exploits for well-documented vulnerabilities means we can detect and stop these ransomware operations earlier in the attack sequence.

Many of the TTPs they employ are common and should help to reveal a host of detectable activity on the network that occurs long before the actual ransomware payload is delivered.

Organizations with the right controls in place stand a good chance of disrupting these attacks at initial ingress when these known exploits are likely to be used, or when the attackers begin to move laterally on the network and seek to escalate privileges.

The ransomware payload is the very tail-end of a longer attack, so a multi-layer defense strategy that is designed to detect more than just the detonation of a ransomware binary is critical to detecting earlier and remediating against these attacks faster. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.