Earlier this month, a report surfaced that former ransomware group Conti had split up, with many members of the collective joining or creating new adversary factions and why that made these former members more dangerous than ever. As of today, this may have become a reality. A new ransomware group by the name of Black Basta has become notable in the ransomware game, having formed in April 2022 and believed to be made up of former Conti and REvil members.
The current members of Conti dispute sharing any involvement with the new group however, saying that the Black Basta group are simply “kids” according to Conti’s hacking forum.
Findings released today by XDR company Cybereason detail the activities of this new gang, along with ways that both companies and individuals can attempt to remain safe against the activities of this newly-formed group.
Black Basta emerging as a ransomware group
To start, the hacking collective has already victimized 50 organizations in the United States, United Kingdom, Australia, New Zealand and Canada in the short time it has been around. Cybereason says it believes that former members of some of the preeminent hacking groups make up the new gang due to the nature of their attacks and their chosen targets.
“Since Black Basta is relatively new, not a lot is known about the group,” said Lior Div, Cybereason CEO and co-founder. “Due to their rapid ascension and the precision of their attacks, Black Basta is likely operated by former members of the defunct Conti and REvil gangs, the two most profitable ransomware gangs in 2021.”
The ransomware employed by Black Basta is a new one, according to Cybereason, which uses double extortion techniques. The gang steals the files of a victim organization, and then threatens to publish the stolen files if the ransom demands are not met. The group allegedly had been demanding up to millions of dollars from their victims to keep the stolen data private, according to Cybereason.
The attack itself is carried out through partnership with QBot malware, streamlining the ransomware process for groups such as Black Basta, allowing for easier reconnaissance while collecting data on the target. Once a proper amount of surveillance has been done by Black Basta, the gang targets the Domain Controller, and moves laterally using PsExec.
The adversary then disables Windows Defender and any other antivirus software through use of a compromised Group Policy Object. Once any defense software has been disabled, Black Basta deploys the ransomware using an encoded PowerShell command that leverages Windows Management Instrumentation to push out the ransomware to IP addresses specified by the group.
SEE: Mobile device security policy (TechRepublic Premium)
How can organizations protect themselves from this ransomware?
As always, employing a zero trust architecture can assist with preventing these types of attacks from affecting an organization. By not trusting any file or link until it has been adequately verified to be legitimate, businesses and their employees can save a great deal of time and headache by doing everything they can to avoid falling victim. Additionally, ensuring that all system patches are up to date can help with this process as well. Ransomware groups have been found to take advantage of vulnerabilities in a number of outdated software items such as the Windows Print Spooler exploit observed in May 2022. Lastly, always ensure that all antivirus software is up to date as well.