A new ransomware gang is on the scene. Known as Black Basta, the gang has quickly catapulted into operation this month, breaching at least twelve companies in just a few weeks. (The first known Black Basta attacks occurred in the second week of April, as the operation quickly began attacking companies worldwide.)
Ransom demands likely vary between victims, but BleepingComputer is aware of one victim who received over a $2 million demand from the Black Basta gang to decrypt files and not leak data.
Black Basta (like any other ransomware gang) will steal data before encrypting their victims’ devices. The stolen data is used in double extortion attacks, where the threat actors will demand their victims pay ransom to receive a decryptor. If the victim refuses to pay the ransom, Black Basta will slowly begin leaking the victim’s data on its data leak site. Currently, Black Basta’s data leak site contains data for ten companies that were breached by the gang. The most recent listed victim is Deutsche Windtechnik, a leading wind turbine provider.
Black Basta is very likely a rebrand of an experienced operation, based on how quickly they amassed victims and their style of negotiations. MalwareHunterTeam speculates that it could be a rebrand of the Conti ransomware operation. For the past two months, Conti has faced heavy scrutiny after a Ukrainian researcher leaked the gang’s private messages and source code. Due to this, it has been speculated that Conti would rebrand their operation to evade law enforcement and start over under a different name.
Mitigation tips
You should be backing up your organization's data, system images & configurations, regularly testing them, and keeping the backups offline: Make sure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems immediately
This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.
Test your incident response plan
You have to test your plan in order to see where the gaps are! Use core questions to build an incident response plan. These can include: Are we able to sustain business operations without access to certain systems? For how long? Would we turn off our manufacturing operations if business systems (such as billing) were offline?
Get a third party to review your organization's security
Use a 3rd party pen-tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive, sophisticated, and will take the effort to find your equivalent of "unlocked doors."
Segment your networks
There's been a recent shift in ransomware attacks–it's moving away from stealing data and towards disrupting operations. It's important that your corporate business functions and manufacturing/production operations are separated. You must filter & limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. You should regularly be testing contingency plans (such as manual controls) so that safety critical functions can be maintained during a cyber incident.
Train employees
Email is the most vulnerable attack vector for organizations. Your employees and board members should be trained how to avoid and spot phishing emails. Multi Factor Authentication can be a great tool in preventing malicious access to sensitive information.
ThreatAdvice is headquartered in Atlanta, Georgia, and we focus on providing world-class cybersecurity solutions. Our ThreatAdvice Breach Protection Platform maximizes a partner’s ability to gain deep insight to a client’s cybersecurity environment, and provides the information needed to monitor, in order to keep their clients secure. Our platform includes vulnerability scanning, security dashboards, detailed reporting, remediation guidance, education and more. For more information visit threatadvice.com/partners or call 678-249-0520.