Black Basta Ransomware Gains Ground
Researchers with security firm Cybereason published a report on a new strain of ransomware that was put in circulation in recent months but already managed to score almost 50 victims in English-speaking countries, including the US, the United Kingdom, Australia and New Zealand.
This meteoric rise to infamy took the Black Basta ransomware gang just two months, which put their name in the spotlight of security researchers.
The ransomware gang offers the Black Basta ransomware on a RaaS basis. The malicious tool was advertised on dark web forums using the typical ransomware-as-a-service model, offering a profit-sharing plan for "affiliates" who pull off attacks using the ransomware.
The mode of operation used by Black Basta is the one that the majority of ransomware gangs employ as well - double extortion consisting of locking up encrypted files and exfiltrating some of them before encryption, to use as blackmail and threaten leaks of sensitive information.
Attacks culminating with the deployment of Black Basta used QBot to exfiltrate credentials from compromised systems, then move laterally across the victim network to ultimately deploy the ransomware on as many hosts as possible. The ransomware also has a variant made to target Linux systems, specifically ESXi virtual instances deployed on enterprise servers.
Security researchers believe that the Black Basta gang is comprised of former Conti gang members, even though Conti denied this. Even though Conti is doing their best to make the world believe the ransomware outfit is no more, researchers think that while the entity that was Conti may be no more, fragments of the team moved into other cybercriminal gangs.