Cyber security news for all

More

    Black Basta Ransomware Strikes 500+ Entities Across Three Continents

    The Black Basta ransomware-as-a-service (RaaS) endeavor has besieged over 500 entities encompassing private industry sectors and critical infrastructure nodes spanning North America, Europe, and Australia since its inception in April 2022.

    A collaborative advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has outlined that malevolent actors behind Black Basta have encrypted and absconded with data from at least 12 out of 16 critical infrastructure sectors.

    “Black Basta affiliates employ conventional initial entry techniques — such as phishing and leveraging known vulnerabilities — followed by a dual-extortion model, both encrypting systems and pilfering data,” articulated the advisory.

    Diverging from the norm observed in other ransomware factions, the ransom notes disseminated post-assault lack an initial ransom demand or payment directives. Instead, these notes furnish victims with a unique code and instruct them to establish contact with the syndicate through a .onion URL.

    Black Basta made its debut in the wild in April 2022 leveraging QakBot as an initial attack vector, and has since maintained a prolific presence as a ransomware actor.

    Data amassed by Malwarebytes indicates that the group has been implicated in 28 out of 373 verified ransomware incursions occurring in April 2024. As per Kaspersky, it ranked as the 12th most prolific family in 2023. Black Basta has further exhibited a surge in activity in Q1 2024, experiencing a 41% quarter-over-quarter escalation.

    There exists compelling evidence linking the operators of Black Basta to another cybercrime faction identified as FIN7, which transitioned to executing ransomware assaults as of 2020.

    The modus operandi of attacks involving this ransomware entails the utilization of tools such as SoftPerfect network scanner for network reconnaissance, BITSAdmin, Cobalt Strike beacons, ConnectWise ScreenConnect, and PsExec for lateral traversal, Mimikatz for privilege elevation, and RClone for data exfiltration prior to encryption.

    Additional methods employed to acquire heightened privileges include exploiting security vulnerabilities such as ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare (CVE-2021-34527).

    In select instances, deployment of a tool named Backstab has been observed to disable endpoint detection and response (EDR) software. It is noteworthy that Backstab has been previously utilized by LockBit affiliates.

    The final phase of the assault entails file encryption utilizing a ChaCha20 algorithm coupled with an RSA-4096 public key, preceded by the deletion of volume shadow copies through the vssadmin.exe utility to impede system restoration.

    “Healthcare entities present enticing targets for cybercriminals owing to their scale, reliance on technology, accessibility to personal health records, and distinct ramifications arising from disruptions in patient care,” noted the agencies.

    These developments coincide with the continuation of the CACTUS ransomware campaign, which exploits security vulnerabilities in a cloud analytics and business intelligence platform known as Qlik Sense to gain initial entry into targeted environments.

    A fresh analysis by NCC Group’s Fox-IT team has identified 3,143 servers still vulnerable to CVE-2023-48365 (aka DoubleQlik), with a predominant portion situated in the U.S., Italy, Brazil, the Netherlands, and Germany as of April 17, 2024.

    The ransomware landscape remains in a state of flux, registering an 18% downturn in activity in Q1 2024 compared to the preceding quarter, primarily attributable to law enforcement operations targeting ALPHV (aka BlackCat) and LockBit.

    In light of LockBit’s substantial reputational setbacks among affiliates, speculation suggests the group may attempt to rebrand. “The DarkVault ransomware group emerges as a potential successor to LockBit,” stated cybersecurity firm ReliaQuest, drawing parallels with LockBit’s branding.

    New ransomware factions that have surfaced in recent weeks include APT73, DoNex, DragonForce, Hunt (a Dharma/Crysis ransomware variant), KageNoHitobito, Megazord, Qiulong, Rincrypt, and Shinra.

    “The proliferation of ransomware variants and the ability to swiftly adapt and rebrand in the face of adversity underscore the resilient and dynamic nature of threat actors in the ransomware ecosystem,” remarked blockchain analytics firm Chainalysis, highlighting a 46% decrease in ransom payments in 2023.

    These observations are echoed by findings from Veeam-owned Coveware, which noted a record low of 28% of victims opting to pay the ransom in Q1 2024. The average ransom payment during this period stood at $381,980, representing a 32% decline from Q4 2023.

    According to the Sophos State of Ransomware 2024 report released late last month, which surveyed 5,000 organizations globally, a substantial proportion of victims refused to meet the initial ransom demand.

    “Of the 1,097 respondents whose organizations paid the ransom, the actual sum paid was disclosed, revealing that the average (median) payment has surged five-fold over the past year, from $400,000 to $2 million,” stated the company.

    “While the rate of ransom payments has increased, only 24% of respondents indicated that their payment matched the initial demand. 44% paid less than the original demand, while 31% paid more.”

    Recent Articles

    Related Stories