The Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the US, Canada, UK, Australia, and New Zealand in the two months since it emerged in the wild, which makes him a prominent threat in a short window.
“Black Basta has been noted to target a variety of industries, including manufacturing, construction, transportation, telecommunications companies, pharmaceuticals, cosmetics, plumbing and heating, car dealerships, clothing manufacturers interior and more”, Cybereason said in a report
Like other ransomware operations, Black Basta is known to employ the proven double-extortion tactic to steal sensitive information from targets and threaten to publish the stolen data unless a digital payment is made.
A new entrant to the already crowded ransomware landscape, intrusions involving the threat have Leveraged QBot (also known as Qakbot) as a conduit to maintain persistence on compromised hosts and harvest credentials, before moving laterally through the network and deploying file-encrypting malware.
Furthermore, the actors behind Black Basta have developed a Linux variant designed to attack VMware ESXi virtual machines (VMs) running on enterprise servers, putting it on par with other groups such as LockBit, Hive, and Cheerscrypt.
The findings come as the cybercriminal syndicate added Elbit Systems of America, a maker of defense, aerospace and security solutions, to its list of victims over the weekend. according to security researcher Ido Cohen.
Black Basta is said to be made up of members belonging to the Conti group after the latter shut down its operations in response to increased police scrutiny and a major leak that saw its tools and tactics enter the public domain after siding with Russia. in the country’s war against Ukraine.
“I can’t shoot anything, but I can fight with a keyboard and mouse,” said the Ukrainian IT specialist behind the leak, who goes by the name Danylo and pitched the data trove as a form of digital retribution. CNN in March 2022.
Since then, Conti’s team has disproved that he is associated with Black Basta. In the past week, discharged the last of its remaining public infrastructure, including two Tor servers used to exfiltrate data and negotiate with victims, marking the official end of the criminal enterprise.
Meanwhile, the group continued to maintain the facade of an active operation targeting the Costa Rican government, while some members transitioned to other ransomware teams and the brand underwent an organizational revamp that has seen it split into smaller subgroups with different motivations and businesses. models ranging from data theft to working as independent affiliates.
according to a comprehensive report from Group-IB detailing its activities, the Conti group is believed to have victimized more than 850 entities since it was first observed in February 2020, compromising more than 40 organizations worldwide as part of a wave of “lightning-fast” piracy that lasted since November 17. to December 20, 2021.
Bent “AR attack” By the Singapore-based company, intrusions were primarily directed against US organizations (37%), followed by Germany (3%), Switzerland (2%), the United Arab Emirates (2%), the Netherlands , Spain, France, the Czech Republic, Sweden, Denmark and India (1% each).
The top five sectors Conti has historically targeted have been manufacturing (14%), real estate (11.1%), logistics (8.2%), professional services (7.1%) and commerce (5.5%), and operators specifically highlight companies. in the US (58.4%), Canada (7%), UK (6.6%), Germany (5.8%), France (3.9%) and Italy (3.1%) .
“The rise in Conti activity and the data leak suggests that ransomware is no longer a game between average malware developers, but rather an illicit RaaS industry that employs hundreds of cybercriminals around the world with various specializations,” he said. Ivan Pisarev of Group-IB.
“In this industry, Conti is a notorious player who has in fact created an ‘IT company’ whose aim is to extort large sums. It is clear […] that the group will continue its operations, either on its own or with the help of its ‘subsidiary’ projects.