Ransomware gangs with creatively imaginative names dominate the cybersecurity space. The same names appear again and again, from Conti and Lockbit, to REvil ransomware.
Sometimes, however, a new ransomware gang gets thrown in the mix.
Over the past few months, that has been ‘Black Basta’ ransomware.
We’ve had a look at the Black Basta attack techniques, previous targets and suspicions of it hiding behind an experienced, already well-known ransomware operation.
Black Basta are a relatively new ransomware gang known for using a double extortion attack model and more recently leveraging QBot to move laterally on a compromised network. They have reportedly been active since April 2022, although some threat researchers claim February, due to the ransomware name “no_name_software” coinciding with two operations. In just a few weeks after launch, they’d already breached at least twelve companies and their expansion worldwide is only increasing.
Black Basta primarily target enterprises with the intention of stealing corporate data, encrypting it and demanding a ransom. Victim’s files and documents are published on the “Black Basta Blog” or “Basta News” Tor site. The victim is then supplied with a readme.txt file in every encrypted folder on their device with a link and unique ID to log in to a negotiation chat session with the threat actors. Here is where Black Basta leave a welcome message, the ransom amount to pay and the threat that if it isn’t paid up in seven days, the data will be leaked. There’s even been promise of a security report after the ransom is paid.
More recently, there has been the discovery of a new Black Basta ransomware variant that supports encryption of VMWare ESXi servers – this move can only aim for expanding potential targets as Black Basta continue to plough ahead.
Black Basta Negotiation Site
Due to Black Basta’s quick amalgamation of successful victims and the perceived expertise of their negotiations, many threat researchers have suspicions on whether this ransomware gang are truly original – could they instead be a rebrand of an already experienced ransomware operation?
If this were the case, no new affiliates would be needed which would explain Black Basta’s lack of marketing surrounding recruiting new members. It would also coincide with issues that have fallen upon Conti ransomware gang, after a Ukrainian researcher leaked private conversations amidst the ransomware’s source code; it would therefore make sense that an operation like Conti would rebrand to evade law enforcement and begin afresh.
MalwareHunterTeam have expressed their opinion over the similarities between Black Basta and Conti in terms of their site design and the language of their support team, and others seem to have followed suit.
Black Basta Data Leak Site
It’s impossible to fully accurately predict the moves of ransomware gangs, despite the continuous analysis of their tactics, techniques and procedures (TTP’s). That’s why it’s important for every organisation to be aware of their cyber risk for worst case scenarios.
Black Basta is one of many detrimental ransomware gangs, and you can stay in the know with our analysis of the top 5 ransomware strains over the past year.
Share your thoughts, join our #RansomAware community and keep safe.
Call us directly and we’ll put you in touch with the most relevant cyber expert.
Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.
Thought-provoking cyber security discussion at Michelin-star restaurants across the UK.
