BlackBasta ransomware

[lparker31]

Added BlackBasta ransomware flow. This will need to be updated if changes are made to the Windows Registry Key STIX observable node. I didn't add the json file because it appeared that only .afb files were in the corpus folder now. If json file is needed, I can provide it.

[github-actions]

Open this PR's flows in Attack Flow Builder:

• Black Basta Ransomware.afb

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 99.28%. Comparing base (6ad0ace) to head (50406ac).
Report is 4 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #127   +/-   ##
=======================================
  Coverage   99.28%   99.28%           
=======================================
  Files           9        9           
  Lines         974      974           
=======================================
  Hits          967      967           
  Misses          7        7           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mehaase]

A few requested changes:

Please move the arrows so they don't overlap. There are a few places in the flow where I saw overlapping arrows.

Correct me if I'm wrong, but I think IsDebuggerPresent is a windows API, not a command line tool. (And if it is, we don't have STIX objects for API calls. It could be included in the flow as a note, possibly.)

This registry key is showing as blank. It should be set up like this:

• Key: HKEY_CURRENT_USER\Control Panel
• Value:
  • Name: Wallpaper
  • Data: C:\Temp\dlaksjdoiwq.jpg (I found this in a trend micro report -- are these randomized for each infection or are these stable within a single campaign?)
  • Data Type: REG_SZ

I don't think this dependency is accurate, i.e. booting in safe mode does not depend on setting the wallpaper key in the registry, it just happens after. The reason why this is important is because we want to look at where we can disrupt attacks. In this case, if we detect or prevent writes to the wallpaper registry key, that doesn't really affect the rest of the attack.

File isn't the right object to use here, because .basta isn't a single specific file. You could maybe use an Indicator object and set the pattern using the STIX Patterns language. But that seems overkill. I suggest removing the File object here.

Same thing here. The File object is meant to be used as an indicator, i.e. "go search your network for this file name." But I don't think basta is making a file called random-letters.ico, it's actually making files like fdsjskjsfak.ico. If this filename is stable across multiple incidents, then it's worth including as an indicator, otherwise let's just explain in the action description that it's creating random file names.

T1657 should be moved earlier in the flow, e.g. an offshot of the exfiltration action, because it does not depend on the encryption for impact leg of the flow.

[mehaase]

Requested a few changes. See comment above.

[github-actions]

Open this PR's flows in Attack Flow Builder:

• Black Basta Ransomware.afb

[lparker31]

Fixed flow based on recommended changes.