Ransomware-as-a-Service (RaaS) is a booming business and threat groups are growing into this model. One such ransomware group, Black Basta, has gained a strong foothold as one of the most active ransomware gangs. Cybereason closely monitored the group and here’s what they found.

Diving into details

  • Black Basta has been active since April 2022 and just within two months, it has amassed almost 50 victims in the U.S., the U.K, Australia, Canada, and New Zealand.
  • Its victims mainly operate in manufacturing, transportation, construction, plumbing and heating, telecommunications, automobile, and cosmetics industries, among others.
  • The ransomware’s Linux strain targets VMware ESXi VMs running on enterprise servers.
  • Before deploying the ransomware, the operators infiltrate and move laterally across the entire network, performing a full-fledged RansomOps attack.

Similar to most ransomware groups, Black Basta follows the double extortion trend. While ransom demands vary, the group has been observed demanding even millions of dollars in payment.

How dangerous is it?

  • The emergence of Black Basta as a huge threat just within a couple of months of launch highlights a new trend.
  • Hackers are targeting hard and fast, drawing large amounts of money, and selling the code to other threat actors.
  • Of the multiple Black Basta variants detected, two are exclusively developed for RaaS operations. They have extensively targeted corporate networks and confidential data for credentials.
  • The sudden emergence has led experts to speculate that Black Basta is actually a regrouping of two recently dismantled groups - Conti and REvil.
  • The attack precision indicates that the group is operated by former members of REvil and Conti, two of the most successful ransomware groups.

The bottom line

These types of threats emphasize the need for comprehensive visibility into everything happening on an organization-wide network. Organizations must consider a holistic security strategy, including monitoring of network logs and known IOCs and TTPs, to fight off threats like Black Basta.
Cyware Publisher