Black Basta Breaches Networks to Exfiltrate Sensitive Information

Introduction

BlackBasta Ransomware Resurgence:

Cybersecurity researchers have uncovered a recent resurgence of Qakbot attacks, an information-stealing and banking trojan, employing various tactics like phishing emails with weaponized links to ZIP archives. Threat actors are using tools like Brute Ratel and Cobalt Strike for lateral movement within compromised environments. 

While Qakbot has been active since 2007, its modular design now enables it to act as a downloader for additional malware. The attack attempts to adapt to new tactics following Microsoft's default blocking of macros in web-downloaded documents. These attacks have been associated with the Black Basta Ransomware group, with overlapping techniques and infrastructure. 

The goal of these attacks appears to be domain-wide ransomware deployment. The resurgence of Qakbot attacks includes techniques like HTML file attachments, DLL side-loading, and email thread hijacking, with emails harvested from successful ProxyLogon attacks on Microsoft Exchange servers. Now in 2023, they have evolved their attack techniques to multiple different intrusion vectors credential stuffing, phishing, and remote desktop protocol exploitation.

Black Basta Ransomware: A Threat to Prominent Organizations

Black Basta ransomware, which emerged in April 2022, has been targeting prominent organizations in Europe and North America, including outsourcing, technology, and manufacturing sectors. It is suspected to have ties to former Conti ransomware members and the Fin7 threat actor. Black Basta operates as a Ransomware-as-a-Service, offering tools and support to its affiliates. It steals data for double extortion and has expanded its attack surface from Windows to ESXi systems. It employs various infection methods, exploits vulnerabilities, and uses strong encryption techniques. The ransomware has affected over 200 organizations, primarily in the United States, with a significant portion having their data exposed publicly.

In one of the most recent attacks Black Basta Ransomware strikes prominent organizations in Europe and North America. A Swiss tech multinational and U.S. government contractor ABB got attacked on May 7th, 2023, which led to significant impact on its factories with operations disruption, project delays. While ABB did not confirm on the name of the group, but highly placed sources hint towards the Black Basta behind it as the imprints of similar attack techniques. Similarly, Arms maker Rheinmetal claimed it got attack with similar patterns. 

The impact of the Black Basta ransomware on organizations can be significant. It can lead to financial losses due to ransom payments and potential legal consequences. Additionally, the exposure of sensitive data to the public can result in reputational damage, loss of customer trust, and potential regulatory penalties.

Impact

The Black Basta ransomware's targeted attacks on prominent organizations, along with its use of double extortion tactics and exposure of stolen data, will likely have several significant impacts on affected organizations. These include reputational damage, financial losses from ransom payments, and costs associated with data breaches and cybersecurity measures to prevent future attacks. Additionally, the ransomware's association with other threat actors and the utilization of advanced techniques like spear-phishing and exploiting vulnerabilities may raise concerns about the evolving and collaborative nature of cyber threats.

Black Basta Ransomware Email-Based Threat Mitigation: Users level action

How should organizations look at countering a Black Basta attack on their enterprise? Users can thwart QAKBOT variants and other threats that spread through emails by following some of these known best practices:

1. Email Verification: Encourage users to verify the email sender and content before downloading attachments or selecting embedded links from emails.
2. Link Hovering: Train users to hover their pointer above embedded links to show the link's target before clicking.
3. Sender Verification: Check the sender's identity. Look out for unfamiliar email addresses, mismatched email and sender names, and spoofed company emails as signs of malicious intent.
4. Company Email Verification: If an email claims to come from a legitimate company, verify if they actually sent it before taking any action.

Recommendations to combat Black Basta Ransomware: Enterprise-level actions

There are several recommendations that organizations can follow to protect themselves from ransomware attacks:

1. Implement Strong Cybersecurity Measures: Ensure that your organization installs and maintains effective antivirus and firewall software. Regularly apply security patches and updates to all systems.
2. Employee Training: Train employees on cybersecurity best practices, focusing on identifying and avoiding phishing attacks. Teach them how to recognize and report suspicious activity.
3. Backup and Disaster Recovery Plans: Develop and maintain robust backup and disaster recovery plans. Regularly back up important data and have a clear plan in place for recovering from a ransomware attack.
4. Secure Remote Access: Protect against unsecured remote access by ensuring that remote access protocols, such as RDP, are secured and regularly updated to prevent unauthorized access.
5. Regular Security Monitoring: Continuously monitor and review security protocols and systems to identify vulnerabilities and potential weaknesses that can be addressed before an attack occurs.
6. Cyber Insurance: Consider purchasing cyber insurance, which can provide financial protection in the event of a ransomware attack and access to resources and expertise for responding to and recovering from an attack.
7. Antivirus and IPS Updates: Keep all antivirus and intrusion prevention system (IPS) signatures up to date to defend against the latest threats.
8. Phishing Awareness: Use phishing simulation services to train employees in detecting phishing threats. Add modules on internet threats and phishing to employee training programs.
9. Data Backup Protocols: Make changes to data backup protocols to better protect against ransomware, ensuring that backups are secure and up to date.
10. Advanced Security Measures: Consider using cloud-based security solutions, advanced endpoint security, and zero trust access and network segmentation strategies to minimize risk and reduce the impact of a successful ransomware attack.
11. Cybersecurity Expertise: Utilize as-a-service offerings from cybersecurity experts to enhance your organization's security posture.
12. No Ransom Payments: Never pay the ransom, as it may not guarantee file recovery and could encourage further attacks or illegal activities.

Emerging Threats Mitigation Techniques

1. Cobalt Strike Awareness: Stay informed about the use of Cobalt Strike in attacks and other living-off-the-land binaries (LOLBins) used by threat actors. Be vigilant about their potential use in attacks.
2. Red Team and Penetration Testing Tools: Be cautious of the use of red team or penetration-testing tools by malicious actors. Monitor and assess the tools to detect any signs of compromise.
3. Managed Detection and Response (MDR): Implement managed detection and response solutions that leverage advanced artificial intelligence to correlate and prioritize threats. This helps in identifying and preventing threats before they are executed, reducing the risk of compromise.

Don’t have the expertise to fight against ransomware like Black Basta?

Engage cyber security expert partners who have the experience to fight against multi-vector attacks with strong global presence and the technical know-how on how to develop and implement an incident response plan in case of a ransomware attack. This plan should include steps for containment, eradication, recovery, and lessons learned.

Tata Communications security experts can help you protect your organization from ransomware attacks and guide you on how to respond effectively if an attack does occur. Speak to an expert now!