Black Basta Ransomware Targets Over 500 Entities Globally

Black Basta Ransomware Targets Over 500 Entities Globally

Since its emergence in April 2022, the Black Basta ransomware-as-a-service (RaaS) operation has wreaked havoc across North America, Europe, and Australia, compromising over 500 private and critical infrastructure entities. This significant threat has rapidly gained notoriety, emphasizing the urgent need for robust cybersecurity measures.

A joint advisory by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) highlighted the extensive reach of Black Basta. The advisory noted that the ransomware affected at least 12 of the 16 critical infrastructure sectors, encrypting and stealing sensitive data.

Black Basta affiliates commonly gain initial access through phishing and exploiting known vulnerabilities. They utilize a double-extortion model, encrypting systems and exfiltrating data. Within two months of its appearance, Black Basta had already victimized nearly 50 organizations in the U.S., Canada, the U.K., Australia, and New Zealand, underscoring its rapid escalation.

Targeted Industries and Unique Tactics

Industries targeted by Black Basta range widely, encompassing manufacturing, construction, transportation, telecommunications, pharmaceuticals, cosmetics, plumbing and heating, automobile dealerships, and undergarment manufacturing. Unlike other ransomware groups, Black Basta does not include a ransom demand or payment instructions in its notes. Instead, victims are provided with a unique code and directed to contact the attackers via a .onion URL.

The advisory detailed the tools and tactics used by Black Basta, including SoftPerfect network scanner for network scanning, BITSAdmin, Cobalt Strike beacons, ConnectWise ScreenConnect, and PsExec for lateral movement, RClone for data exfiltration prior to encryption and Mimikatz for privilege escalation. They also exploit vulnerabilities like ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare (CVE-2021-34527).

In some cases, Black Basta has deployed a tool called Backstab to disable endpoint detection and response (EDR) software. Notably, this tool has also been used by LockBit affiliates. It is believed that Black Basta includes former members of the Conti group, which disbanded due to increased law enforcement pressure and a major leak of its tools and tactics.

The encryption process employed by Black Basta involves the ChaCha20 algorithm with an RSA-4096 public key. Before encryption, volume shadow copies are deleted using the vssadmin.exe program to prevent system recovery. 

Healthcare organizations are particularly vulnerable due to their size, technological reliance, access to personal health information, and the critical impact of patient care disruptions. This vulnerability is reflected in the ransomware’s focus on these institutions.

Meanwhile, the CACTUS ransomware campaign continues to exploit flaws in the Qlik Sense cloud analytics and business intelligence platform, with 3,143 servers remaining vulnerable to CVE-2023-48365 as of April 2024. This vulnerability predominantly affects servers in the U.S., Italy, Brazil, the Netherlands, and Germany.

The Dynamic Ransomware Landscape

The ransomware landscape is constantly evolving. Despite an 18% decline in activity in Q1 2024, driven by law enforcement actions against ALPHV (BlackCat) and LockBit, the ecosystem remains dynamic. LockBit, facing significant reputational damage among affiliates, may rebrand, with the DarkVault ransomware group identified as a potential successor.

New ransomware groups, including APT73, DoNex, DragonForce, Hunt (a Dharma/Crysis variant), KageNoHitobito, Megazord, Qiulong, Rincrypt, and Shinra, have emerged recently. This diversification and adaptability highlight the resilience and fluid nature of ransomware actors.

Despite a 46% decrease in ransom payments in 2023, as reported by Chainalysis, and a record low ransom payment rate of 28% in Q1 2024, the average ransom payment has surged. According to a Sophos report, the average payment increased fivefold from $400,000 to $2 million. However, only 24% of payments matched the original demand, with many victims negotiating lower amounts.

Clear Infosec: Your Shield Against Cyber Threats

At Clear Infosec, we understand the critical importance of protecting your organization from sophisticated cyber threats like Black Basta. Our comprehensive cybersecurity services are designed to safeguard your data, ensure compliance, and provide peace of mind in an increasingly complex threat landscape. Let us help you stay secure and resilient against evolving cyber threats.

Reference :

Black Basta ransomware strikes 500+ entities across North America, Europe, and Australia. The Hacker News. (2024, May 13).