Black Basta may be an all-star ransomware gang made up of former Conti and REvil members

The group has targeted 50 businesses from English speaking countries since April 2022.

Image: normalfx / Adobe Stock

Earlier this month, a report surfaced that former ransomware group Conti had split up, with many members of the collective joining or creating new adversary factions and why that made these former members more dangerous than ever. As of today, this may have become a reality. A new ransomware group by the name of Black Basta has become notable in the ransomware game, having formed in April 2022 and believed to be made up of former Conti and REvil members.

The current members of Conti dispute sharing any involvement with the new group however, saying that the Black Basta group are simply “kids” according to Conti’s hacking forum.

Findings released today by XDR company Cybereason detail the activities of this new gang, along with ways that both companies and individuals can attempt to remain safe against the activities of this newly-formed group.

Black Basta emerging as a ransomware group

To start, the hacking collective has already victimized 50 organizations in the United States, United Kingdom, Australia, New Zealand and Canada in the short time it has been around. Cybereason says it believes that former members of some of the preeminent hacking groups make up the new gang due to the nature of their attacks and their chosen targets.

“Since Black Basta is relatively new, not a lot is known about the group,” said Lior Div, Cybereason CEO and co-founder. “Due to their rapid ascension and the precision of their attacks, Black Basta is likely operated by former members of the defunct Conti and REvil gangs, the two most profitable ransomware gangs in 2021.”

The ransomware employed by Black Basta is a new one, according to Cybereason, which uses double extortion techniques. The gang steals the files of a victim organization, and then threatens to publish the stolen files if the ransom demands are not met. The group allegedly had been demanding up to millions of dollars from their victims to keep the stolen data private, according to Cybereason.

The attack itself is carried out through partnership with QBot malware, streamlining the ransomware process for groups such as Black Basta, allowing for easier reconnaissance while collecting data on the target. Once a proper amount of surveillance has been done by Black Basta, the gang targets the Domain Controller, and moves laterally using PsExec.

The adversary then disables Windows Defender and any other antivirus software through the use of a compromised Group Policy Object. Once any defense software has been disabled, Black Basta deploys the ransomware using an encoded PowerShell command that leverages Windows Management Instrumentation to push out the ransomware to IP addresses specified by the group.

SEE: Mobile device security policy (TechRepublic Premium)

How can organizations protect themselves from this ransomware?

As always, employing a zero trust architecture can assist with preventing these types of attacks from affecting an organization. By not trusting any file or link until it has been adequately verified to be legitimate, businesses and their employees can save a great deal of time and headache by doing everything they can to avoid falling victim. Additionally, ensuring that all system patches are up to date can help with this process as well. Ransomware groups have been found to take advantage of vulnerabilities in a number of outdated software items such as the Windows Print Spooler exploit observed in May 2022. Lastly, always ensure that all antivirus software is up to date as well.

Source

The group has targeted 50 businesses from English speaking countries since April 2022.

Image: normalfx / Adobe Stock

Earlier this month, a report surfaced that former ransomware group Conti had split up, with many members of the collective joining or creating new adversary factions and why that made these former members more dangerous than ever. As of today, this may have become a reality. A new ransomware group by the name of Black Basta has become notable in the ransomware game, having formed in April 2022 and believed to be made up of former Conti and REvil members.

The current members of Conti dispute sharing any involvement with the new group however, saying that the Black Basta group are simply “kids” according to Conti’s hacking forum.

Findings released today by XDR company Cybereason detail the activities of this new gang, along with ways that both companies and individuals can attempt to remain safe against the activities of this newly-formed group.

Black Basta emerging as a ransomware group

To start, the hacking collective has already victimized 50 organizations in the United States, United Kingdom, Australia, New Zealand and Canada in the short time it has been around. Cybereason says it believes that former members of some of the preeminent hacking groups make up the new gang due to the nature of their attacks and their chosen targets.

“Since Black Basta is relatively new, not a lot is known about the group,” said Lior Div, Cybereason CEO and co-founder. “Due to their rapid ascension and the precision of their attacks, Black Basta is likely operated by former members of the defunct Conti and REvil gangs, the two most profitable ransomware gangs in 2021.”

The ransomware employed by Black Basta is a new one, according to Cybereason, which uses double extortion techniques. The gang steals the files of a victim organization, and then threatens to publish the stolen files if the ransom demands are not met. The group allegedly had been demanding up to millions of dollars from their victims to keep the stolen data private, according to Cybereason.

The attack itself is carried out through partnership with QBot malware, streamlining the ransomware process for groups such as Black Basta, allowing for easier reconnaissance while collecting data on the target. Once a proper amount of surveillance has been done by Black Basta, the gang targets the Domain Controller, and moves laterally using PsExec.

The adversary then disables Windows Defender and any other antivirus software through the use of a compromised Group Policy Object. Once any defense software has been disabled, Black Basta deploys the ransomware using an encoded PowerShell command that leverages Windows Management Instrumentation to push out the ransomware to IP addresses specified by the group.

SEE: Mobile device security policy (TechRepublic Premium)

How can organizations protect themselves from this ransomware?

As always, employing a zero trust architecture can assist with preventing these types of attacks from affecting an organization. By not trusting any file or link until it has been adequately verified to be legitimate, businesses and their employees can save a great deal of time and headache by doing everything they can to avoid falling victim. Additionally, ensuring that all system patches are up to date can help with this process as well. Ransomware groups have been found to take advantage of vulnerabilities in a number of outdated software items such as the Windows Print Spooler exploit observed in May 2022. Lastly, always ensure that all antivirus software is up to date as well.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Apple patches double zero-day in browser and kernel – update now! – Naked Security

Apple just pushed out an emergency update for two zero-day bugs that are apparently actively being exploited. There's a remote code execution hole (RCE) dubbed...

Securing the ever-evolving hybrid work environment

Even as many business leaders debate the boundaries of remote work styles and schedules, there is little doubt that hybrid work will persist for...

Hackers Deploy Bumblebee Loader to Breach Target Networks

Threat actors associated with BazarLoader, TrickBot and IcedID malware are now increasingly deploying the loader known as Bumblebee to breach target networks and subsequently...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!