Cybersecurity Professionals Warn Against ‘Black Basta’ Ransomware

Cybersecurity Professionals Warn Against ‘Black Basta’ Ransomware

Cybersecurity experts are very concerned about the extremely hazardous malware known as Black Basta.

Cybercriminals operate under the assumption that upsetting established companies is the key to surviving in the ever-changing digital environment. This way of thinking inspires them to innovate and create powerful offensive strategies. Due to organizations improving their cybersecurity perimeter, lone criminals have turned to form ransomware gangs by teaming up with other like-minded players. They can target more companies at once and receive greater rewards by banding together. BlackFog's data reports from 2022 show that hostile hackers and ransomware gangs are focusing on sectors like technology, manufacturing, healthcare, and government. An abrupt increase in average ransomware demands, which increased by 518 percent in 2021 compared to 2020, can be used to measure the impact of such gangs. Black Basta is one of the most recent ransomware groups to appear.

The ransomware strain, according to evidence, was still under development as recently as February 2022, and it wasn't until it was advertised on dark web forums to purchase and monetize corporate network access in exchange for a cut of the profits that it began to be used in attacks starting in April. This gang has targeted businesses that span industries and locations. This cybercriminal gang has compromised 12 different businesses in less than a month, including the American Dental Association and Deutsche Windtechnik.

The Black Basta ransomware used by this ransomware ring employs a variety of extortion methods. For the encryption procedure to be carried out, its encryption algorithm needs administrative access. This gang uses malware that is very difficult to identify because it operates covertly and rarely exhibits any signs. Any currently running Windows services are taken over and used to start the algorithm process, such as Windows' Fax service. Additionally, it steals confidential and private corporate data before encrypting it. By doing this, the ransomware gang threatens to release the victim if they are not paid. To put pressure on the business, the gang has been known to utilize the double extortion approach and leak a few files at a time online.

Each file on the victim's PC is encrypted and given the ".basta" file extension after being exfiltrated. The ransomware will alter the victim's desktop background to display the following message as a warning: "Your network got encrypted by the Black Basta group. Instructions in the file readme.txt." The link and individual ID needed to negotiate the ransom will be in this text file. The ransomware also directs the victims to the "Black Basta Blog" or "Basta News" sites that are hosted by the gang on the Tor network. These websites display a list of every Black Basta victim who declined to make restitution. Michael Gillespie, a cybersecurity specialist, examined this ransomware's encryption procedure and concluded that the ChaCha20 algorithm is used to encrypt the data. A strong public RSA-4096 key is used in this ChaCha20 encryption method.

Black Basta is known to use the tried-and-true strategy of double extortion, similar to previous ransomware operations, to steal important information from the targets and threaten to disseminate the stolen data unless a digital payment is made.

The breaches involving the threat, a newcomer in the already crowded ransomware arena, have used QBot (also known as Qakbot) as a conduit to retain persistence on the compromised systems and gather credentials before going lateral across the network and spreading the file-encrypting malware.

According to reports, the Conti organization, which shut down its operations in response to heightened law enforcement scrutiny and a significant leak that revealed its tools and techniques after siding with Russia in the country's conflict with Ukraine, is made up of members of Black Basta.

"Conti's increased activity and the data leak suggest that ransomware is no longer a game between average malware developers, but an illicit RaaS industry that gives jobs to hundreds of cybercriminals worldwide with various specializations," Group-IB's Ivan Pisarev said. Only a few months have passed since the Black Basta ransomware wreaked havoc on the market and forced companies to fool-proof their systems, but based on their victim list, it is clear that their intended victims have not yet prioritized the cybersecurity of the entity, which is now proving to be expensive.

Disclaimer: Analytics Insight does not provide financial advice or guidance. Also note that the cryptocurrencies mentioned/listed on the website could potentially be scams, i.e. designed to induce you to invest financial resources that may be lost forever and not be recoverable once investments are made. You are responsible for conducting your own research (DYOR) before making any investments. Read more here.

Related Stories

No stories found.
Analytics Insight