Skip to main content
Published Jun 09, 2022 | Updated Feb 27, 2024

Ransom:Linux/BlackBasta.A!MTB

Detected by Microsoft Defender Antivirus

Aliases: No associated aliases

Summary

Ransom:Linux/BlackBasta.A!MTB is a detection for Black Basta ransomware which uses ChaCha20 symmetric encryption to encrypt files. The ransomware has been historically used to target VMWare ESXi servers.

This ransomware encrypts the data on a disk and can prevent both device use and data access. It encrypts files, renders them inaccessible, and demands payment for the decryption key.

Guidance for end users 

To learn more about preventing ransomware or other malware from affecting individual devices, read about preventing malware infection. 

Guidance for enterprise administrators 

Ransomware more often affects enterprises than individuals. Following these mitigation steps can help prevent ransomware attacks: 

Keep backups so you can recover data affected by ransomware and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files. 

Harden internet-facing assets and ensure they have the latest security updates. Audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity. 

Secure Remote Desktop Gateway using solutions like Microsoft Entra multi-factor authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA). 

Monitor for brute-force attempts. Check excessive failed authentication. 

Use local device and network firewalls to prevent Remote Procedure Call (RPC) and Server Message Block (SMB) communication among endpoints whenever possible. This limits lateral movement as well as other attack activities. 

Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activity. 

Follow us