Updated: Jul 5, 2022
According to Cybereason’s Nocturnus Team, the threat group has already targeted 50 victims in just two months.
A new ransomware group which calls itself Black Basta is gaining notoriety with some 50 victims across a wide range of industries and demands of millions of dollars in ransomware payment in the span of two short months. The Nocturnus Team, the threat research arm of US-Israeli cybersecurity company Cybereason, issued a high severity threat level warning against the group.
According to a new report by Nocturnus, Black Basta was discovered in April 2022, but probably started setting up two months before. And while the game is new, “it’s pretty clear that the Basta Gang knows what they are doing,” says the report, signed by Cybereason Senior Threat Researcher and Threat Hunter, Lior Rochberger.
On April 20th, a user named BlackBasta posted on underground forums, “a post intended to buy and monetize corporate network access for a share of the profits. Though written in Russian, the post specified it was looking for organizations based in the US, UK, Canada, Australia, and New Zealand, suggesting the group targets specifically English-speaking countries, say the researchers.
“Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarment manufacturers, and more.”
The attacker's MO starts with infiltrating and moving laterally through the targeted organization – first by harvesting credentials and understanding the network architecture – and then deploying the ransomware.
“When the ransomware starts its encryption routine, it first changes the background image of the desktop and simultaneously goes through files and encrypts them,” the report notes.
“The Black Basta gang follows the growing trend of double extortion,” the report goes on. This means that the group steals sensitive data from its victims and later uses it to extort them into paying the ransom, threatening to otherwise publish the data.
The researchers note that Black Basta’s capabilities demonstrate it aims to play in the “big league” of ransomware – like Conti, REvil, BlackMatter, and others. There has been some speculation on whether this new group is linked to Conti – which the latter denied in a post.