Black Basta Ransomware: An Emerging Threat

Understanding Black Basta Ransomware

The Arkansas Cyber Defense Center (ACDC) is committed to enhancing the cybersecurity posture of organizations across the state of Arkansas. Our focus includes analyzing emerging threats, understanding the tactics employed by cybercriminals, and providing guidance to mitigate these threats. In the context of increasing global ransomware incidents, this blog aims to spotlight the Black Basta ransomware variant, explaining its operational tactics and offering prevention strategies.

What is Black Basta Ransomware

Black Basta is a Ransomware-as-a-Service (RaaS) variant that has significantly impacted various sectors worldwide, particularly those within critical infrastructure, chiefly the Healthcare and Public Health (HPH) sector. It employs a double-extortion tactic, not only encrypting the victim's data but also threatening to publish it online unless a ransom is paid. 

Black Basta is the name of a Russian cyber threat actor group as well as the ransomware they employ. The ransomware gang Black Basta is estimated to have generated over $100 million in ransom payments from at least 90 of the 500 organizations it has hacked. They demand an average ransom of $1.2 million, threatening to post the organizations' files online if the ransom is not paid. 

Black Basta Ransomware attacks often cost organizations much more than just the ransom alone. The notorious Conti ransomware gang, which is believed to be linked to Black Basta, has caused significant financial damage to multiple organizations. In one case, the London-based outsourcing group Capita admitted that clean-up costs from a ransomware attack may reach approximately $31.6 million​. 

Tactics, Techniques, and Procedures (TTPs) of Black Basta

  • Initial Access: Black Basta uses spear phishing emails and known software vulnerabilities to gain access to target systems.

  • Execution and Discovery: Threat actors employ various tools to scan networks and identify system structures.  They use deceptive file names to execute malicious activities.

  • Lateral Movement and Privilege Escalation: The threat actors then use common administrative tools and exploit critical system vulnerabilities to move across the network and gain higher levels of access.

  • Exfiltration and Encryption: Data is exfiltrated using specialized tools, and encryption is carried out using advanced algorithms, making decryption nearly impossible without the attackers' private key.

Targets of Black Basta Attacks

Black Basta campaigns typically focus on critical sectors, such as healthcare, because of their access to sensitive information and the essential services they provide. It is important to remember, however, that these campaigns are not limited to this sector and can be used to target any organization, large or small. 

Effective Strategies to Combat Ransomware Threats

There are several, simple best-practices that organizations can use to defend against ransomware like Black Basta. To mitigate software vulnerabilities, organizations should update systems and software as soon as possible after patches are released.  Using multi-factor authentication (MFA) everywhere it is available makes account takeovers extremely difficult. And finally, organizations should train employees to recognize phishing attempts and other social engineering attack vectors. 

Preventing access is ideal, but it is not easy to stop persistent attackers. It is imperative that organizations have current backups of all of their data. In the event that a threat actor breaches your network and executes ransomware, reverting to backups is a much more palatable option than paying expensive ransoms.

Contact the Arkansas Cyber Defense Center

For further assistance and support in combating cybersecurity threats, organizations are encouraged to reach out to the Arkansas Cyber Defense Center (ACDC). Bolster your cybersecurity at no cost! Through grants from public safety and security agencies, the ACDC is able to offer free cybersecurity services to organizations throughout Arkansas. Visit forge.institute/acdc to access our services, sign up for our newsletter, and register for our latest training.

Sign up here: 'Defending your Organization 101: Remote Work Safety ' on June 19, 2024.

Previous
Previous

AI and Cybersecurity: Emerging Frontier  (Part 1/3)

Next
Next

Smart Security with your Smart Devices