Hello everyone and welcome back to the Cognixia podcast. Every week, we dig up a new topic from emerging digital technologies and share insights, ideas, information, stories, and more. We strive to inspire our listeners to learn new things and update their repertoire of skills to stay relevant and continue growing in their careers.
Recently, the US Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Department of Health & Human Services, and the Multi-State Information Sharing & Analysis Center issued a joint cybersecurity advisory. This advisory aimed to share more information about the “Black Basta”. Black Basta affiliates have been attacking entities across the United States, Canada, Japan, the UK, Australia, and New Zealand. Over 500 organizations have been impacted globally to date. At least 12 of the 16 critical infrastructure sectors have had data stolen from them so far.
According to Kaspersky in its latest findings about the state of ransomware in 2024, Black Basta is ranked the 12th most active ransomware family in 2023, with a 71% rise in the number of victims in 2023 as compared to 2022.
But, what is Black Basta?
Black Basta is a Ransomware-as-a-Service whose first variants were discovered in April 2022. It is believed that Black Basta might have links to FIN7, a threat actor also called “Carbanak” active since 2012. It is affiliated with multiple ransomware operations. Black Basta’s modus operandi is quite similar to the older Conti ransomware structure, however, no proven links have been found between the two.
What is Black Basta’s Modus Operandi?
Black Basta affiliates employ a multi-pronged approach to infiltrate target networks. Their tactics focus on gaining initial access through various methods.
One common technique involves phishing attacks. These deceptive emails aim to trick recipients into surrendering sensitive information or clicking malicious links. These links can download malware or redirect users to fake login pages designed to steal credentials.
Another tactic Black Basta utilizes is exploiting known vulnerabilities in software or systems. If these vulnerabilities haven’t been addressed through security patches, attackers can take advantage of them to gain unauthorized access.
In some cases, Black Basta affiliates may opt to acquire valid credentials from underground marketplaces. These credentials, often obtained through previous cyberattacks, are sold by illicit actors known as Initial Access Brokers. By purchasing login information for targeted systems, Black Basta can bypass the initial intrusion stage altogether.
Once they’ve established a foothold within the network, Black Basta affiliates deploy various tools to navigate laterally and escalate their privileges. This allows them to move freely across the network and access sensitive data.
Common tools used for this purpose include remote access tools like Cobalt Strike or PsExec. These programs grant attackers remote control over compromised systems, enabling them to steal data or deploy additional malware.
Black Basta affiliates may also utilize password-dumping tools like Mimikatz. These utilities can extract passwords and other credentials stored on compromised machines, further expanding their access within the network.
Even legitimate system administration tools can be misused for malicious purposes. Software like SoftPerfect, designed for IT professionals, can be weaponized by Black Basta to escalate privileges or exfiltrate sensitive data.
By combining these intrusion tactics and lateral movement tools, Black Basta affiliates can establish a strong presence within a compromised network. They can then steal valuable information and ultimately deploy ransomware, often following a double-extortion model where they encrypt data and demand a ransom for its decryption while also threatening to leak the stolen information publicly.
Black Basta also has a particular variant that targets LINUX-based VMware ESXi virtual machines. Black Basta ransomware specifically targets the /vmfs/volumes folder within a compromised system. This folder acts as the virtual filing cabinet for all virtual machines running on the victim’s ESXi server. By encrypting the contents of this folder, Black Basta effectively renders all virtual machines inoperable, causing significant disruption to the organization’s operations.
Following the encryption process, Black Basta leaves a ransom note on the affected systems. This note serves as a communication channel between the attackers and the victim. It typically includes a unique identifier that the organization must use to contact Black Basta on a hidden Tor website.
Black Basta employs a pressure tactic known as a “leak site” to heighten the urgency of paying the ransom. This website, accessible only through the Tor network, displays a countdown timer alongside the names of compromised companies and details about the stolen data. As the timer ticks down, the threat of publicly releasing sensitive information hangs heavy over the victim organization. This tactic aims to compel them to meet the ransom demands before the deadline expires.
Security researchers observed a significant shift in cybercriminal tactics throughout 2023. For the first time, attacks exploiting access points through contractors and service providers, particularly those offering IT services, emerged as one of the top three attack vectors.
This trend highlights a growing risk for organizations. By targeting third-party vendors, attackers can gain access to a victim’s network with less effort compared to traditional methods that involve directly compromising the organization’s defenses. These initial breaches can remain undetected for extended periods, allowing attackers to move laterally within the network and establish a foothold.
The delayed detection associated with third-party attacks gives cybercriminals a critical advantage. They can meticulously plan and execute their ransomware deployment without raising immediate red flags, maximizing the impact of the attack. This tactic makes it even more crucial for organizations to prioritize robust security measures not just within their own infrastructure but also to extend those measures to their network of vendors and service providers.
To prevent ransomware attacks like the Black Basta attack, organizations should prioritize several key measures: implementing strong authentication (multi-factor preferred), keeping software updated, educating users on phishing scams, securing and monitoring remote access, adopting zero-trust security principles, maintaining data backups, using up-to-date anti-malware software, and regularly testing their security posture against real-world threats. Actively investing in security infrastructure and setting up security protocols, incident management protocols, etc. would be crucial. Encourage and support teams to share and report openly.
Black Basta does sound really scary, doesn’t it? Operating under the countdown, knowing you only had that much time to rescue things must be an insane amount of pressure. Cyberattacks like Black Basta are not slowing down, it is our prerogative to be as prepared as we possibly can to combat these attacks.
With that, we come to the end of this week’s episode of the Cognixia podcast. We will be back again next week with another interesting new episode.
Until then, happy learning!
