Cybersecurity experts warn of emerging threat from “Black Basta” ransomware


The Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the US, Canada, UK, Australia and New Zealand within two months of its emergence in the wild. short window.

“Black Basta has been observed targeting a range of industries including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, auto dealerships, underwear manufacturers and more,” Cybereason said in a report.

As with other ransomware operations, Black Basta is known to use the proven tactics of double extortion to loot sensitive information from the targets and threaten to publish the stolen data unless a digital payment is made.

A newcomer to the already crowded ransomware landscape, having intrusions with the threat leveraged QBot (aka Qakbot) as a channel to preserve the compromised hosts and collect credentials before moving them laterally across the network and deploying the file-encrypting malware.

Furthermore, the actors behind Black Basta developed a Linux variant designed to attack VMware ESXi virtual machines (VMs) running on corporate servers, putting it on par with other groups such as LockBit, Hive, and Cheerscrypt.

The findings come as cybercriminal syndicate added Elbit Systems of America, a manufacturer of defense, aerospace and security solutions, to its list of victims this weekend. according to to security researcher Ido Cohen.

Black Basta is said to consist of members who belonged to the Conti group after the latter ceased operations in response to increased law enforcement oversight and a major leak that put its tools and tactics in the public domain after they sided with Russia. had chosen in the country’s war against Ukraine.

“I can’t shoot anything, but I can fight with a keyboard and mouse,” said the Ukrainian computer specialist behind the leak, who uses the pseudonym Danylo and releases the wealth of data as a form of digital retaliation. CNN in March 2022.

The Conti team has since denied being associated with Black Basta. It’s last week dismantled the last of its remaining public infrastructure, including two Tor servers used to leak data and negotiate with victims, officially putting an end to the criminal enterprise.

In the meantime, the group kept the facade of an active operation targeting the Costa Rican government, while some members switched to other ransomware outfits and the brand underwent an organizational overhaul that has grown it into smaller subgroups with different motivations and motivations. business models ranging from data theft to working as independent affiliates.

According to an Detailed Report of Group-IB describing its activities, the Conti group is believed to have been the victim of more than 850 entities since it was first sighted in February 2020, with more than 40 organizations worldwide being compromised as part of a ” lightning-fast” hacking attack that lasted from November 17 to December 20, 2021.

dubbed “ARM attackBy the Singapore-based company, the break-ins were mainly against American organizations (37%), followed by Germany (3%), Switzerland (2%), the UAE (2%), the Netherlands, Spain, France, the Czech Republic , Sweden, Denmark and India (1%).

The top five sectors Conti has historically focused on were manufacturing (14%), real estate (11.1%), logistics (8.2%), professional services (7.1%) and trade (5 .5%), with the operators specifically choosing companies in the US (58.4%), Canada (7%), the UK (6.6%), Germany (5.8%), France (3.9% ) and Italy (3.1%).

“Conti’s increased activity and the data breach suggest that ransomware is no longer a game between average malware developers, but an illicit RaaS industry that provides jobs to hundreds of cybercriminals worldwide with various specializations,” said Group-IB’s Ivan Pisarev.

“In this industry, Conti is a notorious player who has basically created an ‘IT company’ with the aim of extorting large sums of money. It is clear […] that the group will continue its activities, either under its own steam or through its ‘subsidiaries’.”