Black Basta may be an all-star ransomware gang made up of former Conti and REvil members

The group has targeted 50 companies from English-speaking countries since April 2022.

ransomware organizations report
Image: normalfx/Adobe Stock

Earlier this month, a report surfaced that the former Conti ransomware group had broken up, with many members of the collective joining or creating new adversary factions, and why that made these former members more dangerous than ever. To this day, this may have become a reality. A new ransomware group by the name of Black Basta has become notable in the ransomware game, it was formed in April 2022 and is believed to be made up of former Conti and REvil members.

However, the current members of Conti question sharing any involvement with the new group, saying that the group Black Basta are just “kids” according to the Conti hacking forum.

Findings released today by XDR’s Cybereason company detail the activities of this new gang, along with ways both companies and individuals can try to stay safe from the activities of this newly formed group.

Black Basta emerges as a ransomware group

For starters, the hacker collective has already victimized 50 organizations in the US, UK, Australia, New Zealand, and Canada in the short time it’s been in existence. Cybereason says it believes that former members of some of the major hacking groups make up the new gang due to the nature of their attacks and chosen targets.

“Since Black Basta is relatively new, not much is known about the group,” said Lior Div, CEO and co-founder of Cybereason. “Due to its rapid rise and the precision of its attacks, Black Basta is likely to be operated by former members of the defunct Conti and REvil gangs, the two most profitable ransomware gangs in 2021.”

The ransomware employed by Black Basta is new, according to Cybereason, using double extortion techniques. The gang steals files from a victim organization and then threatens to publish the stolen files if ransom demands are not met. The group had allegedly been demanding up to millions of dollars from its victims to keep the stolen data private, according to Cybereason.

The attack itself is carried out through a partnership with QBot malware, which streamlines the ransomware process for groups like Black Basta, allowing for easier reconnaissance while collecting data about the target. Once Black Basta has done an adequate amount of surveillance, the gang targets the domain controller and moves laterally using PsExec.

The adversary then disables Windows Defender and any other antivirus software through the use of a compromised Group Policy Object. Once any defense software has been disabled, Black Basta deploys the ransomware using a coded PowerShell command that leverages Windows Management Instrumentation to deliver the ransomware to group-specified IP addresses.

WATCH: Mobile device security policy (TechRepublic Premium)

How can organizations protect themselves from this ransomware?

As always, employing a zero-trust architecture can help prevent these types of attacks from affecting an organization. By not trusting any file or link until it has been properly verified to be legitimate, businesses and their employees can save a great deal of time and headache by doing everything they can to avoid being victimized. Also, making sure all system patches are up to date can also help with this process. Ransomware groups have been found to take advantage of vulnerabilities in a number of outdated software elements, such as the Windows Print Spooler exploit seen in May 2022. Lastly, always make sure all antivirus software is up to date as well.

Leave a Comment