Black Basta Might Be An All-Star Ransomware Gang Made Up Of Former Conti And REvil Members

reporting ransomware from organizations
Image: normalfx/Adobe Stock

Earlier this month, a report emerged that the former ransomware group Conti had split, with many members of the collective joining or creating new adversaries and why these former members were more dangerous than ever. As of today, this may have become a reality. A new ransomware group called Black Basta has become notable in the ransomware game, founded in April 2022 and believed to be made up of former Conti and REvil members.

Current members of Conti dispute sharing any involvement with the new group, but say the Black Basta group are simply “children” according to Conti’s hacking forum.

Findings released today by XDR company Cybereason detail the activities of this new gang, along with ways both companies and individuals can try to protect themselves from the activities of this newly formed group.

Black Basta emerging as a ransomware group

For starters, in the short time it has been in existence, the hacking collective has already victimized 50 organizations in the United States, United Kingdom, Australia, New Zealand and Canada. Cybereason says it believes former members of some of the leading hacking groups make up the new gang due to the nature of their attacks and their chosen targets.

“Because Black Basta is relatively new, not much is known about the group,” said Lior Div, CEO and co-founder of Cybereason. “Due to their meteoric rise and the precision of their attacks, Black Basta is likely to be run by former members of the defunct Conti and REvil gangs, the two most profitable ransomware gangs in 2021.”

The ransomware used by Black Basta is, according to Cybereason, a new one that uses double extortion techniques. The gang steals the files of a victim organization and then threatens to publish the stolen files if ransom demands are not met. According to Cybereason, the group demanded up to millions of dollars from their victims to keep the stolen data private.

The attack itself is carried out through collaboration with QBot malware, streamlining the ransomware process for groups like Black Basta, facilitating exploration while collecting data about the target. Once Black Basta has done enough surveillance, the gang targets the domain controller and moves sideways using PsExec.

The adversary then disables Windows Defender and all other antivirus software using a compromised GPO. Once defense software is disabled, Black Basta deploys the ransomware using an encrypted PowerShell command that uses Windows Management Instrumentation to route the ransomware to IP addresses specified by the group.

TO SEE: Mobile Device Security Policy (Tech Republic Premium)

How can organizations protect themselves against this ransomware?

As always, using a zero trust architecture can help prevent these types of attacks from hitting an organization. By not trusting any file or link until it has been sufficiently verified that it is legit, companies and their employees can save a lot of time and headache by doing everything they can to avoid being victimized. In addition, it can also help in this process to ensure that all system patches are up to date. Ransomware groups have been identified as exploiting vulnerabilities in a number of outdated software items, such as the Windows Print Spooler exploit observed in May 2022. Finally, always make sure that all antivirus software is also up to date.