UK telecoms giant BT has launched an investigation after a notorious ransomware group claimed the theft of a significant amount of files, including sensitive information.
The Black Basta ransomware group added BT — specifically its btci.com and btconferencing.com domains — to its Tor-based leak website, claiming to have obtained roughly 500 Gb of data, including financial, corporate, and personal information.
The cybercriminals are threatening to leak the stolen data in less than a week unless a ransom is paid. A data sample they have made public indicates that they have obtained copies of passports and other identification documents.
In a statement to SecurityWeek, a BT Group spokesperson confirmed that the company has identified an attempt to compromise its BT Conferencing platform.
“This incident was restricted to specific elements of the platform, which were rapidly taken offline and isolated,” the BT spokesperson said.
“The impacted servers do not support live BT Conferencing services, which remain fully operational, and no other BT Group or customer services have been affected. We’re continuing to actively investigate all aspects of this incident, and we’re working with the relevant regulatory and law enforcement bodies as part of our response,” the spokesperson added.
Rapid7 reported on Wednesday that Black Basta has been refining its social engineering methods. According to the security firm, the cybercriminals initiate an attack by signing up the targeted user’s email address to many mailing lists, which results in the victim getting bombarded with emails.
The attackers then call up or message the victim — mainly through Microsoft Teams — offering assistance with the email problem. The hackers claim to be from the IT, help desk or support team of the targeted organization, and they instruct the victim to install remote management software such as Quick Assist, TeamViewer, AnyDesk, or ScreenConnect.
This enables them to deploy a credential harvester and various pieces of malware that allow them to gain further access and obtain valuable information. The malware includes Zbot, DarkGate, as well as custom malware.
Black Basta has hit hundreds of organizations since it emerged in 2022, and one year ago it was reported that it had made over $100 million from ransom payments.
Related: Willis Lease Finance Corp Discloses Cyberattack
Related: Black Basta, Bl00dy Ransomware Exploiting Recent ScreenConnect Flaws