Ransomware has become a common threat in the digital landscape, causing heavy financial losses and operational disruptions. In recent years, a new form of cybercrime has emerged known as Ransomware as a Service (RaaS).
The methods and techniques required to conduct a cyber-attack have never been more accessible, and criminal gangs now see this as a viable business model. This report examines the Black Basta RaaS, its modus operandi, recent attacks attributed to it and Gemserv’s security recommendations to help protect your organisation.
Who are Black Basta?
Active since at least April 2022, ‘Black Basta’ are a notorious RaaS platform, racking up nineteen prominent enterprise victims and more than one hundred confirmed victims in its first few months of operation.
Thought to originate as a splinter group of the RaaS ‘Conti’, one of the most famous cybercriminal groups in the world, Black Basta enables cybercriminals to execute ransomware attacks without broad technical expertise. By using this service, individuals or groups can deploy customised ransomware campaigns, receiving a portion of the proceeds while the service provider retains the rest. It has never been easier for cyber criminals to target organisations.
What’s more, victims have reported being targeted with a ‘double extortion’ technique, also known as ‘pay now or get breached’. A monetary ransom is demanded for both the decryption keys as well as to prevent leaking the exfiltrated files.
Recent Attacks Attributed to Black Basta Ransomware
Earlier this week, an attack was confirmed on German arms manufacturer, Rheinmetall. The attack coincided with reports of the organisation’s involvement in a tank factory project in Ukraine. Although the incident only affected Rheinmetall’s civilian business, the company’s military business plays a crucial role in supplying ammunition and reconnaissance systems to the Ukrainian armed forces. This development reinforces the significance of ransomware attacks on critical industries like defence and military infrastructure.
In May 2023, Switzerland-based ABB has reportedly been targeted in a ransomware attack. This incident has impacted the company’s Windows Active Directory, affecting hundreds of devices. It is not known whether a ransom demand has been issued or paid. A full investigation is ongoing.
On 31 March 2023, Capita disclosed a cyberattack which disrupted access to Microsoft Office 365 applications. The firm warned Universities Superannuation Scheme (USS), the largest private pension scheme in the UK, to work under the assumption that attackers stole members’ data, although it cannot confirm whether it was exfiltrated.
In March 2023, Satellite company Dish announced that it suffered a multi-day network outage as a result of a ransomware attack. The company confirmed that threat actors stole data from its compromised systems, though is yet to announce whether employee or customer data is impacted. It is suspected that Black Basta is responsible, considering it targeted VMWare ESXi servers.
How to protect your organisation
- Use CTI (Cyber Threat Intelligence), for the latest indicators of compromise, feeding it into your SIEM / SOAR solutions.
- RaaS still requires initial access through methods such as phishing. To avoid future successful phishing attacks, train your team to increase security awareness.
- Create and maintain ransomware playbooks, as well as incident management plans.
- For quick system restoration and to stop further harm, employ and maintain healthy backup policies.
- Segregate as much IT infrastructure as possible. Rheinmetall was able to minimise damage by separating its Military and Civilian infrastructure.
Gemserv’s threat intelligence solution can support any organisation with (among many other use cases):
- Sector and Region Threats
- Technology Stack Monitoring
- Supply Chain Security (24/7 alerting)
- Brand and Social Media Monitoring