Since April 2022, the group has focused on 50 companies from Anglophone countries.
Earlier this month, a report surfaced that former ransomware group Conti broke up, with many members of the collective joining or creating new adversaries, and why that made these former members more dangerous than ever. As of today, this may have become a reality. A new ransomware group called Black Basta has become notable in the ransomware game, founded in April 2022 and believed to consist of former Conti and REvil members†
Current members of Conti dispute sharing any involvement with the new group, but say the Black Basta group are simply “children” according to Conti’s hacking forum.
findings released today by XDR company Cybereason detail the activities of this new gang, along with ways in which both companies and individuals can try to protect themselves from the activities of this newly formed group.
Black Basta emerging as a ransomware group
For starters, in the short time it has been in existence, the hacking collective has already victimized 50 organizations in the United States, United Kingdom, Australia, New Zealand and Canada. Cybereason says it believes former members of some of the leading hacking groups make up the new gang due to the nature of their attacks and their chosen targets.
“Because Black Basta is relatively new, not much is known about the group,” said Lior Div, CEO and co-founder of Cybereason. “Due to their meteoric rise and the precision of their attacks, Black Basta is likely to be run by former members of the defunct Conti and REvil gangs, the two most profitable ransomware gangs in 2021.”
The ransomware employed by Black Basta is a new one, according to Cybereason, which uses double extortion techniques. The gang steals the files of a victim organization and then threatens to publish the stolen files if ransom demands are not met. According to Cybereason, the group demanded up to millions of dollars from their victims to keep the stolen data private.
The attack itself is carried out through collaboration with QBot malware, streamlining the ransomware process for groups like Black Basta, making exploration easier while collecting data about the target. Once Black Basta has done enough surveillance, the gang targets the domain controller and moves sideways using PsExec.
The adversary then disables Windows Defender and all other antivirus software using a compromised GPO. Once defense software is disabled, Black Basta deploys the ransomware using an encrypted PowerShell command that uses Windows Management Instrumentation to route the ransomware to IP addresses specified by the group.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
How can organizations protect themselves against this ransomware?
As always, in the service of a architecture without trust can help prevent these types of attacks from hitting an organization. By not trusting any file or link until it has been sufficiently verified that it is legit, companies and their employees can save a lot of time and headache by doing everything they can to avoid being victimized. In addition, it can also help in this process to ensure that all system patches are up to date. Ransomware groups have been identified as exploiting vulnerabilities in some outdated software items, such as the Windows Print Spooler exploit observed in May 2022. Finally, always make sure that all antivirus software is also up to date.