Pierluigi Paganini
May 12, 2024
The FBI, CISA, HHS, and MS-ISAC have issued a joint Cybersecurity Advisory (CSA) regarding the Black Basta ransomware activity as part of the StopRansomware initiative.
Black Basta has targeted at least 12 critical infrastructure sectors, including Healthcare and Public Health. The alert provides Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) obtained from law enforcement investigations and reports from third-party security firms.
Black Basta ransomware-as-a-service (RaaS) has been active since April 2022, it impacted several businesses and critical infrastructure entities across North America, Europe, and Australia. As of May 2024, Black Basta has impacted over 500 organizations worldwide.
“Black Basta is a ransomware-as-a-service (RaaS) variant, first identified in April 2022. Black Basta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.” reads the CSA.
In December 2023, Elliptic and Corvus Insurance published a joint research that revealed the group accumulated at least $107 million in Bitcoin ransom payments since early 2022. According to the experts, the ransomware gang has infected over 329 victims, including ABB, Capita, Dish Network, and Rheinmetall.
The researchers analyzed blockchain transactions, they discovered a clear link between Black Basta and the Conti Group.
In 2022, the Conti gang discontinued its operations, coinciding with the emergence of the Black Basta group in the threat landscape.
The group mainly laundered the illicit funds through the Russian crypto exchange Garantex.
“Black Basta is a Russia-linked ransomware that emerged in early 2022. It has been used to attack more than 329 organizations globally and has grown to become the fourth-most active strain of ransomware by number of victims in 2022-2023.” reads the Elliptic’s report. “Our analysis suggests that Black Basta has received at least $107 million in ransom payments since early 2022, across more than 90 victims. The largest received ransom payment was $9 million, and at least 18 of the ransoms exceeded $1 million. The average ransom payment was $1.2 million.”
Most of the victims are in the manufacturing, engineering and construction, and retail sectors. 61,9% of the victims are in the US, 15.8% in Germany, and 5.9% in Canada.
Some of the victims’ ransom payments were sent by both Conti and Black Basta groups to the gang behind the Qakbot malware.
The US agencies recommend critical infrastructure organizations implement several mitigations. These align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and NIST, providing a minimum set of practices to protect against common threats. Recommendations provided in the report include installing updates promptly, using phishing-resistant multi-factor authentication (MFA), securing remote access software, making backups, and applying mitigations from the #StopRansomware Guide.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
