Black Basta ransomware: what MSPs need to know
Your primary focus is always helping your clients manage modern cyberthreats. One such threat that has been making headlines recently is Black Basta ransomware.
What makes Black Basta ransomware unique is its association with the notorious Black Basta group, a cybercriminal organization responsible for numerous high-profile attacks. In this blog post, we'll do a Black Basta ransomware analysis, detail recent attack instances, and discuss how you can protect clients from this threat.
What is Black Basta ransomware?
Black Basta ransomware was first identified in early 2022. It’s known for its double extortion tactic, which involves encrypting the victim's files, stealing sensitive data, and threatening to publish it if the victim doesn’t pay a ransom. The ransomware is operated by a Russian-speaking threat group that has experience in ransomware attacks.
Cybercrime experts speculate that Black Basta is an offshoot of the Russian-speaking ransomware-as-a-service group Conti, or that it is connected to other Russian-speaking cybercriminals. Black Basta shares similar tactics, techniques, and procedures (TTPs) with other ransomware groups, such as BlackMatter, reinforcing the idea that the group is highly experienced.
Black Basta ransomware spreads through phishing emails and exploits software vulnerabilities. Once it infects a system, it deletes all Volume Shadow Copies, which are backup copies of files on the system. The desktop wallpaper is replaced with a JPG image, and the encrypted files are stored as an ICO file, which is an image file format used for icons in Windows operating systems.
Unlike other ransomware families, Black Basta doesn't skip files with specific extensions. However, the system isn't disabled if critical folders aren't encrypted.
Recent Black Basta ransomware attacks
In recent years, the Black Basta ransomware group has been responsible for several high-profile attacks, targeting companies across several industries. Here are some Black Basta victims list of their recent ransomware attacks.
The Black Basta ransomware group launched a ransomware attack against Capita, a UK-based outsourcing company, in April 2023. Initially, the company downplayed the attack, calling it a "minor security incident." However, it later became clear that the attack involved the deployment of ransomware.
The Black Basta group confirmed their responsibility for the attack by adding Capita to their list on their darknet website. Despite this, Capita was slow to disclose the full extent of the attack and the consequences. As of April 2023, the company had only acknowledged a "minor leak" and denied any claims of data leaks, despite evidence to the contrary in data samples published by the hackers.
American Dental Association
The American Dental Association (ADA) suffered a cyberattack in April 2022, with the Black Basta ransomware group claiming responsibility for the distributed denial-of-service (DDoS) attacks. The group claimed to have stolen around 9GB of data, with approximately 2.8GB leaked online.
The leaked data included sensitive information such as W2 forms, NDAs, accounting spreadsheets, and information on ADA members. This kind of data leak can be particularly harmful to small dental practices, which often lack dedicated IT personnel and may not have the resources to fully secure their networks.
On July 16, 2022, the Black Basta ransomware group added Knauf to its list of victims, confirming earlier suspicions of threat actor involvement. The group later shared 20% of the stolen data, which included user information, sensitive employee data, ID scans, and product documents. This cyberattack caused significant disruption to Knauf's business operations, forcing the company to shut down all IT systems to contain the incident.
Tips for protecting your clients against Black Basta ransomware
As Black Basta and other ransomware groups continue to target businesses and organizations worldwide, it’s vital to take measures to protect your clients against these threats. Here are some tips:
- Keep your systems up-to-date: To ensure protection against known vulnerabilities, regularly update your operating systems, software, and security applications to protect yourself against known vulnerabilities and potential cyber threats.
- Use multi-factor authentication (MFA): Protect systems and data by implementing MFA wherever possible. To gain access to a system or application, users are typically required to provide two or more forms of authentication, such as a password and a biometric factor.
- Train employees: Teach end users to recognize phishing emails and other common tactics used by ransomware groups. ConnectWise has several options to help MSPs stay ahead of the landscape, including our cybersecurity glossary, cybersecurity center, and threat reports.
- Backup your data: Store your data regularly off-site, such as on an external hard drive kept in a different location or in a secure cloud storage service like Google Drive or Microsoft OneDrive. It allows you to restore your data if your computer is attacked by ransomware.
- Use a reputable cybersecurity solution: Consider working with a solutions provider with robust cybersecurity service offerings to help you identify and mitigate potential risks.
It's important to take these steps to protect your clients and their sensitive information from the impact of ransomware attacks. Implementing these best practices will significantly reduce the likelihood of an attack and minimize the potential damage if one does occur.
Remember, cybercriminals are constantly evolving their tactics, so stay vigilant in your cybersecurity efforts.
Safeguard your data from Black Basta ransomware
As ransomware attacks and other malware continue to pose significant threats to businesses, it's important to stay informed and take proactive steps to protect your organization and clients against threats.
ConnectWise offers a range of solutions to help secure your systems and data. Learn more about our Security Information & Event Management (SIEM) solutions or watch a live demo of our cybersecurity suite today. Don't let cybercriminals take advantage of your business—take action now to stay secure.