The group has targeted 50 businesses from English-speaking countries since April 2022.
Earlier this month, a report was published that the former ransomware group County had split, jointly joined many members or formed new rival teams and why these former members were more dangerous than before. As of today, this could become a reality. A new ransomware group called Black Basta has become notable in the ransomware game, which was formed in April 2022 and is believed to be made up of former Conti and Reveal members.
Conte’s current members are debating whether to share any involvement with the new group, but say the Black Basta group is just “kids” according to Conte’s hacking forum.
Findings Published today by XDR Company Cybereason Details of the activities of this new gang, as well as the way in which both companies and individuals can try to stay safe against the activities of this newly formed group.
Black Basta is emerging as a ransomware group
To begin with, the hacking group has already targeted about 50 companies in a short time in the United States, the United Kingdom, Australia, New Zealand and Canada. Siberian says it believes that former members of some major hacking groups create new gangs because of the nature of their attacks and their chosen targets.
“Since Black Basta is relatively new, not much is known about the group,” said Leo Div, CEO and co-founder of Siberian. “Because of their rapid ascent and the accuracy of their attacks, Black Basta is probably run in 2021 by former members of the two most profitable ransomware gangs, the Extinct Conti and the Reveal Gang.”
The ransomware employed by Black Basta is a new, Siberian version, which uses double extortion tactics. The ring steals the files of a victim organization and then threatens to release the stolen files if the ransom claim is not met. According to Siberian, the group allegedly demanded millions of dollars from their victims to keep the stolen data secret.
The attack itself is managed by partnering with QBot malware, streamlining the ransomware process for groups like Black Bastar, allowing easy recovery while targeting data. Once properly monitored by Black Basta, the gang targets the domain controller and moves to the side using PsExec.
The adversary then disables Windows Defender and any other antivirus software by using a compromised group policy object. When any defense software becomes inactive, Black Basta deploys ransomware using an encoded PowerShell command that Windows Management Instrumentation uses to push ransomware to group-specific IP addresses.
Views: Mobile device security policy (TekriPublic Premium)
How can companies protect themselves from this ransomware?
As always, hiring a zero-trust architecture can help prevent such attacks from affecting an organization. By not trusting any file or link until it has been adequately verified to be valid, businesses and their employees can save a lot of time and headaches by doing what they can to avoid victimization. In addition, making sure all systems are up to date can help with this process. Ransomware groups have been seen to take advantage of vulnerabilities in a number of older software items, such as the exploitation of Windows Print Spooler observed in May 2022. Lastly, always make sure that all antivirus software is up to date.
