Black Basta may be a ransomware gang made up of former members of Conti and REvil

Subscribe us on Google News


The group has targeted 50 companies from English-speaking countries since April 2022.


Image: normalfx/Adobe Stock

Earlier this month, a report surfaced that the former Conti ransomware group had split, with many members of the collective joining or creating new opposing factions and why that made those former members more dangerous than ever. As of today, this may have become a reality. A new ransomware group by the name of Black Basta has risen to prominence in the ransomware game, having formed in April 2022 and believed to be made up of former members of Conti and REvil.

However, current members of Conti dispute sharing any involvement with the new group, claiming that the Black Basta group are merely “kids” according to Conti’s hacking forum.

Findings released today by XDR Cybereason detail the activities of this new gang, as well as ways businesses and individuals can attempt to stay safe from the activities of this newly formed group.

Black Basta becomes a ransomware group


For starters, the hacking collective has already victimized 50 organizations in the US, UK, Australia, New Zealand and Canada in a short time. Cybereason says he believes former members of some of the preeminent hacking groups make up the new gang due to the nature of their attacks and their chosen targets.

“Since Black Basta is relatively new, not much is known about the group,” said Lior Div, CEO and co-founder of Cybereason. “Due to their rapid rise and the precision of their attacks, Black Basta is likely operated by former members of the former Conti and REvil gangs, the two most profitable ransomware gangs in 2021.”

The ransomware used by Black Basta is a new one, according to Cybereason, which uses double extortion techniques. The gang steals files from a victim organization, then threatens to release the stolen files if ransom demands are not met. The group allegedly demanded up to millions of dollars from their victims to keep the stolen data private, according to Cybereason.

The attack itself is carried out through a partnership with the QBot malware, streamlining the ransomware process for groups such as Black Basta, allowing for easier reconnaissance when collecting data on the target. Once a fair amount of surveillance has been done by Black Basta, the gang targets the domain controller and moves laterally using PsExec.

The adversary then disables Windows Defender and other antivirus software using a compromised GPO. Once any defensive software has been disabled, Black Basta deploys the ransomware using a coded PowerShell command that leverages Windows Management Instrumentation to send the ransomware to group-specified IP addresses.

SEE: Mobile Device Security Policy (TechRepublic Premium)

How can organizations protect themselves from this ransomware?

As always, using a Zero Trust architecture can help prevent these types of attacks from affecting an organization. By not trusting any file or link until it has been properly verified to be legitimate, businesses and their employees can save a lot of time and headaches by doing whatever they can to avoid being victims. Additionally, ensuring that all system patches are up-to-date can also make this process easier. Ransomware groups have been found to take advantage of vulnerabilities in a number of outdated pieces of software such as the Windows Print Spooler exploit seen in May 2022. Finally, always ensure that all anti-virus software is also up-to-date .



Source

What’s your Reaction?
+1
0
+1
0
+1
0
+1
0
+1
0
+1
0
+1
0

Leave a Reply

Your email address will not be published.