We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:Linux/BlackBasta.A!MTB
Aliases: No associated aliases
Summary
Ransom:Linux/BlackBasta.A!MTB is a detection for Black Basta ransomware which uses ChaCha20 symmetric encryption to encrypt files. The ransomware has been historically used to target VMWare ESXi servers.
This ransomware encrypts the data on a disk and can prevent both device use and data access. It encrypts files, renders them inaccessible, and demands payment for the decryption key.
Guidance for end users
To learn more about preventing ransomware or other malware from affecting individual devices, read about preventing malware infection.
Guidance for enterprise administrators
Ransomware more often affects enterprises than individuals. Following these mitigation steps can help prevent ransomware attacks:
Keep backups so you can recover data affected by ransomware and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
Harden internet-facing assets and ensure they have the latest security updates. Audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
Secure Remote Desktop Gateway using solutions like Microsoft Entra multi-factor authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
Monitor for brute-force attempts. Check excessive failed authentication.
Use local device and network firewalls to prevent Remote Procedure Call (RPC) and Server Message Block (SMB) communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activity.
