Blog

New ransomware gang 'Black Basta'

Cybercriminals function on the principle that disrupting legitimate businesses’ is the secret to thriving in the ever-expanding digital landscape. This thought process drives them to innovate and develop robust attack techniques. With businesses tightening their security perimeter, individual criminals have resorted to joining hands with like-minded players to form ransomware gangs. Ganging up helps them target several companies at once and get bigger payouts. According to BlackFog's statistical reports 2022, ransomware gangs and malicious hackers are targeting industries like technology, manufacturing, healthcare, and government. The impact of such gangs can be gauged by a sharp uptick in average ransomware demands, which jumped 518% in 2021 compared to 2020. One of the most recent ransomware gangs that have emerged is known as Black Basta.

The Black Basta ransomware gang 

The cyber-world has encountered renewed onslaught from a new ransomware gang, Black Basta, which emerged on the scene in April 2022. It has so far masterminded several breaches and demanded millions of dollars in ransom after encrypting or stealing data. Companies cutting across sectors and geographies have been the target of this gang. In little over a month, this cybercriminal group has infiltrated 12 different companies, including the Deutsche Windtechnik (11th April) and the American Dental Association (22nd April). 

How does the gang use the ransomware?

This ransomware gang uses ransomware christened Black Basta, which leverages multi-extortion techniques. Its encryptor algorithm requires administrative privileges to execute the encryption process. The malware used by this gang is quite tough to detect because it works in stealth and rarely manifests any symptoms. It hijacks any existing Windows services (for example, the Fax service in Windows) and uses them to launch the encryption process. Also, it exfiltrates sensitive and personal corporate data before encrypting them. 

The ransomware gang does so to threaten release if the victim does not pay up. The gang has been known to use the double extortion technique and release a few files at a time on the web to pressure the company. 

Black basta wallpaper

Once exfiltrated and encrypted, each file within the victim's system gets converted to a ".basta" file extension. To warn the victim, the ransomware will change the victim's desktop wallpaper with the message: "Your network got encrypted by the Black Basta group. Instructions in the file readme.txt." This text file will contain a link and unique ID to negotiate the ransom. Further, the ransomware pivots the victims to a Tor network where the gang hosts the "Black Basta Blog" or "Basta News" sites. These sites showcase a list of all Black Basta victims who did not pay up. Cybersecurity expert Michael Gillespie analyzed this ransomware's encryption process and concluded that it utilizes the ChaCha20 algorithm for encrypting the files. This ChaCha20 encryption technique uses a robust public RSA-4096 key.

How can enterprises protect against this ransomware gang?

The first telltale sign of a breach is that the victims will see a perceptible lag in their system. You can scan the running services to detect impulsive, malicious, and unfamiliar processes draining your RAM and CPU power. 

Here are a few proactive steps you can take to help protect your data from the Black Basta gang. 

  • Enabling robust defence strategies

Deploying defensive programs and applications like web filtering, endpoint scanning and filtering tools, anti-ransomware solutions, firewalls, network traffic analyzers, etc., can help the entire corporate system prevent ransomware threats.

  • Create multiple isolated backups

Encrypted data backup on multiple isolated devices helps protect companies' day-to-day digital records and valuable data from ransomware attacks. Continuous backup and encrypting of sensitive data will make it hard for the ransomware gangs to steal and blackmail the company.

  • Leverage Cloud data loss prevention (DLP)

Ransomware gangs try to exfiltrate sensitive data first. Implementing cloud DLP solutions will help analyze the scope and context of various inbound and outbound data packets. DLP also provides threat pattern recognition algorithms to predict threats and prevent data loss and sensitive data leakage.

Featured Posts

See All

December 10 - Blog

Hardware Token Protocols

Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

Packetlabs Company Logo
    • Toronto | HQ
    • 401 Bay Street, Suite 1600
    • Toronto, Ontario, Canada
    • M5H 2Y4
    • San Francisco | HQ
    • 580 California Street, 12th floor
    • San Francisco, CA, USA
    • 94104