The Persistent Threat of Black Basta Ransomware: What You Need to Know

Since its emergence in April 2022, the Black Basta ransomware-as-a-service (RaaS) operation has targeted over 500 private industry and critical infrastructure entities across North America, Europe, and Australia. This threat is as real as it gets, hitting 12 out of 16 critical infrastructure sectors with alarming precision.

A recent advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) highlights the severity of these attacks. Black Basta affiliates use common initial access techniques like phishing and exploiting known vulnerabilities, then employ a double-extortion model, encrypting systems and exfiltrating data. Victims receive a unique code and are directed to contact the gang via a .onion URL, bypassing the traditional ransom demands seen with other ransomware groups.

First spotted in the wild in April 2022, Black Basta has been relentlessly active, using QakBot as an initial vector. Statistics from Malwarebytes indicate that the group was responsible for 28 of the 373 confirmed ransomware attacks in April 2024 alone. Kaspersky ranked it as the 12th most active ransomware family in 2023, with activity spiking 41% quarter-over-quarter in Q1 2024. It’s believed that Black Basta operators have ties to another cybercrime group, FIN7, which shifted to ransomware attacks in 2020.

Black Basta’s attack chains are sophisticated, utilizing tools such as SoftPerfect network scanner for network scanning, BITSAdmin, Cobalt Strike beacons, ConnectWise ScreenConnect, and PsExec for lateral movement, Mimikatz for privilege escalation, and RClone for data exfiltration prior to encryption. They also exploit security flaws like ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare (CVE-2021-34527) to gain elevated privileges. In some instances, they’ve deployed a tool called Backstab to disable endpoint detection and response (EDR) software.

The final step in their attack involves encrypting files using a ChaCha20 algorithm with an RSA-4096 public key, and deleting volume shadow copies via the vssadmin.exe program to inhibit system recovery. Healthcare organizations, in particular, are prime targets due to their size, technological dependence, access to personal health information, and the unique impacts of patient care disruptions.

Meanwhile, the ransomware landscape continues to evolve. A CACTUS ransomware campaign has exploited security flaws in the Qlik Sense cloud analytics and business intelligence platform, leaving 3,143 servers at risk as of April 17, 2024. Despite a recent 18% decline in ransomware activity, led by law enforcement operations against ALPHV (BlackCat) and LockBit, the threat remains significant. Some ransomware groups, like LockBit, are suspected of rebranding to escape reputational damage.

The “diversification” of ransomware strains and the ability of threat actors to quickly adapt and rebrand highlight the resilient and dynamic nature of the ransomware ecosystem. Despite a 46% decrease in ransom payments in 2023, the average ransom payment in Q1 2024 stood at $381,980, a 32% drop from the previous quarter. This trend is further supported by findings from the Sophos State of Ransomware 2024 report, which noted that while the average ransom payment has increased five-fold over the last year, the proportion of victims choosing to pay has hit a record low of 28%.

It’s clear that ransomware is not going away anytime soon. Staying informed and prepared is essential to protect your business from these evolving threats.

Found this article insightful? Follow CybrogenIT on Facebook and LinkedIn for more exclusive content and updates on how to keep your business secure.

Leave a Reply

Your email address will not be published. Required fields are marked *