IBM experts presented a detailed analysis of Black Basta ransomware


The IBM Security X-Force team published
analysis of the new extortionate Black Basta, which first appeared
in April 2022. To date, the group has allegedly attacked 29 organizations of various fields of activity.

Black Basta uses double extortion tactics – not only encrypts the victim’s files and demands a ransom for decryption, but also steals data and threatens to publish it if the ransom is not paid. The files of victims who refused to pay, the group puts on its website of leaks on the Tor network. In order to put pressure on the victim, extortionists publish her data in portions.

The Black Basta group is still in the early stages of development, and X-Force specialists have not yet found any advertising or offers of cooperation on hacker forums. Due to the similarity in operations and the lack of attempts to attract partners, some experts believe that Black Basta is a rebranding of the infamous Conti group. These may explain the reluctance to attract new partners, since Conti already has enough of them. However, earlier this month Conti stated that it has nothing to do with Black Basta. X-Force specialists are still trying to establish whether this is the case or not.

Black Basta ransomware works so fast that security guards rarely have time to suspect something is wrong before the organization’s files are encrypted.

The sudden appearance of Black Basta and the high rate of successful infections are an example of how “new” cyber-extortion groups can quickly become a central figure in the cybercrime arena.

Although X-Force specialists have not yet established a connection between Black Basta and current or past cyber-extortion operations, its impact in such a short period of time indicates the use of very effective tactics, techniques and procedures (TTP) that pose a great threat to corporate networks.

Judging by the data currently available, Black Basta does not attack any specific industries or verticals. However, organizations that collect large amounts of data are attractive targets for ransomware.

Enterprises are advised to install and maintain regular backups, including offline. At the same time, backups should be stored separately from network zones to which attackers can potentially gain read-only access.

It is also recommended to implement a strategy to prevent data theft, especially stored on cloud platforms, analyze employee behavior in order to identify potential security incidents, as well as audit and monitor networks and quickly respond to suspicious activity of privileged accounts and groups.

In addition, it is recommended to enable multi-factor authentication for all remote access points to the corporate network, as well as secure or disable access via the RDP protocol, which is often used by ransomware.

Start a discussion …