A new ransomware group called Black Basta is claiming to have successfully hit 50 victims, while the veteran but evaporating Conti gang — which may have links to the rookie — has gone out with a rocket.
That’s according to two recent reports by researchers at security providers.
“In just two months,” say researchers at Cybereason, “the Black Basta gang has added nearly 50 victims to their list as of the publishing of this report, making them one of the most prominent ransomware groups recently.”
The gang, whose strategy includes stealing and threatening to release data as well as encrypting files, is targeting organizations in the United States, Canada, United Kingdom, Australia, and New Zealand.
In early June, the report says, Black Basta added support for encrypting VMware ESXi virtual machines (VMs) running on enterprise Linux servers.
The report notes that early this month, the Bleeping Computer news site reported that the Black Basta ransomware gang has partnered with the QBot malware operation to spread their ransomware.
Some researchers suspect those behind Black Basta have links to the Conti gang, in part because of similarities in the appearance of its leak Tor site, its ransom note, its payment site and behavior of the Black Basta support team. Conti has denied the claim in words this website won’t repeat, alleging Black Basta are “f&^$ing kids.”
As we reported in May, security researchers at Advanced Intelligence concluded that month that the Conti ransomware gang’s brand is dead, because its infrastructure related to negotiations, data uploads, and hosting of stolen data has been shut down. If so, according to a new report from researchers at Singapore-based Group-IB, it went out with a bang: In slightly more than a month at the end of 2021, Conti compromised more than 40 organizations worldwide in only three days. Victims were from the U.S., Canada, Germany, Switzerland, the Netherlands, Spain, France, the Czech Republic, Sweden, and Denmark.
By the end of 2021 Conti had become one of the largest and most aggressive ransomware groups, the report says, having published stolen data from 530 companies on its data leak site since its inception in 2020. In just four months of this year, it posted information belonging to 156 companies, making for a total of 859 victim organizations on the site in two years. In April alone it successfully hit 46 organizations, including the government of Costa Rica, which was forced to declare a state of emergency.
However, taking Russia’s side in its invasion of Ukraine resulted in some of Conti’s valuable information being leaked online. The Group-IB report notes leaked data included private chat logs, the servers they use, a list of victims, and details of Bitcoin wallets, which stored over 65,000 BTC in total. The leaked chats revealed that the group had faced serious financial difficulties and that their boss had gone off the radar. Yet its members were fully prepared to restart the project after several months.
Its future isn’t clear: Has it disbanded, gone on sabbatical or linked to other groups?
Cybereason’s advice to CISOs to protect against ransomware include the following:
- Keep systems fully patched: Make sure your systems are patched in order to mitigate vulnerabilities;
- Regularly backup files to a remote server: Restoring your files from a backup is the fastest way to regain access to your data;
- Use security solutions: Protect your environment using organizational firewalls, proxies, web filtering, and mail filtering.
Robert Shaughnessy, vice-president of federal operations at Virginia-based cybersecurity provider GRIMM, noted Black Basta’s attempts to leverage VMware ESXi hypervisor host machines gives it access to much more powerful processing and memory pools than a single workstation would typically have, resulting in faster encryption times and reducing the overall time to ransom. This makes it substantially harder for defenders to detect, isolate, and remediate attacks, he said in an email.
“Even though emerging ransomware gangs are beginning to use novel tools, techniques, and procedures (TTPs),” he added, “including VM hypervisor attacks, they are not invincible. As with most ransomware campaigns, a good defense against Black Basta starts with basic cyber hygiene: conduct regular in-depth threat assessments, ensure complete enterprise visibility, keep all systems properly patched, employ a zero-trust model across the enterprise, and closely monitor systems for the earliest signs of atypical utilization and access rights modifications.”