We’re learning more about a new ransomware group called Black Basta, who has extorted more than 50 companies globally since becoming active in April 2022.
Cybereason is sounding a loud alarm, categorizing its Black Basta threat alert as “highly dangerous/severe,” in accordance with Federal Bureau of Investigation (FBI) and U.S. Department of Justice (DOJ) classification.
Black Basta Traces Lineage to Conti Hacking Group
Black Basta is comprised of founding members from the recently disbanded Conti hacking group, according to Cybereason. Using double extortion schemes via VMWare running in Linux servers, Black Basta has reportedly demanded as much as $2 million from some companies.
Double extortion works when attackers penetrate a victim’s network, steal sensitive information by moving laterally through organizations and threaten to publish the stolen data unless the ransom demand is paid, Cybereason explains.
Black Basta’s ability to steal data includes documents before it’s encrypted into the company’s system. The group then demands a ransom to stop the data from being leaked and to obtain a decryptor to unlock the stolen data.
“High Severity” Attacks on a Wide Range of Industries
Here are key findings from the Cybereason report:
- Targets VMware ESXi. Black Basta’s Linux variant targets VMware ESXi virtual machines (VMs) running on enterprise Linux servers.
- High Severity. The Cybereason Nocturnus Team assesses the threat level as “high severity” given the destructive potential of the attacks.
- Targeting English-Speaking countries. Black Basta specifically targeting the United States, Canada, United Kingdom, Australia and New Zealand.
- Targeting Wide Range of Industries. Black Basta is targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers and more.
- Human Operated Attack. Prior to the deployment of the ransomware, the attackers attempt to infiltrate and move laterally throughout the organization, carrying out a fully-developed RansomOps attack.
Lior Div, Cybereason CEO and Co-founder, commented on the ongoing situation:
“Since Black Basta is relatively new, not a lot is known about the group. Due to their rapid ascension and the precision of their attacks, Black Basta is likely operated by former members of the defunct Conti and REvil gangs, the two most profitable ransomware gangs in 2021.”
Cybereason is a Boston-based XDR company partnering with defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem.