Ransomware, Content

Anatomy of a Black Basta Ransomware Attack on BankCard USA

Cybersecurity experts and law enforcement have long counseled organizations to brush off ransom demands by cyber kidnappers. But many businesses, including some high-profile cases, do end up coughing up tens of thousands of dollars, even millions to retrieve their files and thaw their networks.

Black Basta Ransomware Attack Examined

SuspectFile, an independent website that has been chronicling cybersecurity issues since 2006, dived into the details of a ransomware attack orchestrated by Black Basta against BankCard USA (BUSA) this past June and gave a near play-by-play accounting of what happened from start to finish.

BankCard is an issuer of merchant services since 1993, offering credit card processing products and services for some 100,00 new and existing businesses.

Black Basta, which surfaced more than a year ago and is composed of founding Conti members, typically targets organizations in the U.S., Canada, U.K., Australia, and New Zealand. The group is known for pilfering sensitive information and then extorting victims for as much as $2 million by threatening to post the data on the dark market unless the victim meets its ransomware demands.

In a 12-month lookback from March 2023, Black Basta had a 7% share of the number of ransomware events worldwide, well behind Lockbit’s 30%, according to a Black Kite survey of 2,700 incidents.

Anatomy of a Ransomware Attack

What follows is a blow-by-blow account of the ransomware negotiation as chronicled by SuspectFile.

In the BUSA incident, a negotiation was conducted over the course of a month, the company ultimately agreed to pay a ransom of $50,000 in bitcoins, in exchange for Black Basta not posting roughly 200 gigabytes of sensitive and financial data publicly.

Black Basta’s original demand was $500,000 in bitcoins. Here is how the negotiation went, according to SuspectFile.

“Hello We are Black Basta Group. We are here to inform that your company local network has been hacked and encrypted. We’ve downloaded over 200GB of a sensitive information and data from your network "

Black Basta also provided a URL of their currently secret blog page, a description of the company, a series of financial, judicial documents and copies of four passports as proof. Ultimately, the crew published in the chat the link to download the tree of files in its possession, some 34,506 directories and 401,356 files.

As BUSA wrote:

“After speaking with my higher ups, they are concerned about the amount you are asking. We do not have half of a million dollars in available funding. Would you be able to work with us on the price?”

Black Basta offers a 15% discount if BankCard pays within 48 hours. “If you pay within 48 hours, we are ready to give you a 15% discount. Fast payment, big discount,” Black Basta said.

At this point, SuspectFile writes, BlackBasta may have realized it cannot get its asking price and agrees to $50,000 in bitcoins. In exchange for the ransom payment, BUSA makes some demands of Black Basta:

  • Decryptor for all your Windows machines
  • Non recoverable removal of all downloaded data from our side with deletion log
  • No publication of any kind. (Black Basta lied about this one, SuspectFile said.)
  • No selling of our data
  • No giving our data away
  • Security report on how you were hacked to fix your vulnerabilities and avoid such situations in future
  • Guarantee Black Basta will not attack our company again

Protecting Your Organization

Here are some recommendations on how organizations can protect their networks should an employee of other person link on a phishing email and launch a ransomware attack:

  1. Use sandbox to analyze the contents of letters and their attachments.
  2. Use the password security policies
  3. Make protection from attack like a Pass-the-Hash and Pass-the-ticket attack
  4. Update all OS and software to the latest versions, especially Microsoft Defender Antivirus.
  5. Implement the hardware firewalls with filtering policies, modern DLP and IDS, SIEM systems.
  6. Block kerberoasting, a post exploitation attack.
  7. Conduct full penetrations tests and audit.
  8. Use and update Anti-virus/anti-malware and malicious traffic detection software.
  9. Configure group policies, disable the default administrators accounts, create new accounts.
  10. Backups. You must have offline backups, does not have access to the network.

“A security report both in form and substance that we have seen repeated with other victims,” SuspectFile wrote.

“Paying in the hope that your name, your data will never be brought to light is mere utopia. SuspectFile.com had access to the chat from day one and we certainly had hundreds of other people who were able to follow the evolution of the negotiation live. BankCard USA is nothing more than one of the latest victims to fall into the network of a group of cybercriminals whose main objective is to monetize their work, at any cost and by any means.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.