A new ransomware gang dubbed Black Basta is exfiltrating corporate data and documents before encrypting the firm’s devices. It has quickly catapulted into operation this month and has targeted more than twelve firms in just a few weeks.
The malicious actors then employ stolen data in double-extortion assaults and demand hefty amounts to decrypt files and prevent the publishing of the victim's stolen data.
According to BleepingComputer, the American Dental Association was targeted by Black Basta last weekend, prompting the shutdown of some parts of its network. The ADA sent emails to its members noting that some of its systems, including ADA email and Aptify, as well as its webchat and telephone lines, have been disrupted as a result of the attack.
Impacted systems were immediately taken down, with the ADA leveraging Gmail addresses while its email systems are offline. State dental associations, including those in Florida, New York, and Virginia, have also been hit by the ADA breach.
The attackers claimed to have leaked 2.8GB of data, which they believe accounts for about 30% of the stolen data from the attack. The exfiltrated files include non-disclosure agreements, W2 forms, accounting spreadsheets, and ADA member data.
The researchers first uncovered the Black Basta attacks in the second week of April, as the operation quickly began targeting firms worldwide. While not much else is known about the new ransomware gang as they have not begun marketing their operation or recruiting affiliates on hacking forums.
Black Basta modus operandi
The ransomware infiltrates into an existing Windows service and exploits it to launch the ransomware decryptor executable. The ransomware then changed the wallpaper to display a message stating, “Your network is encrypted by the Black Basta group. Instructions in the file readme.txt” and reboot the computer into Safe Mode with Networking.
According to security expert Michael Gillespie, the portal Black Basta ransomware utilizes the ChaCha20 algorithm to encrypt files. Each folder on the encrypted device contains a readme.txt file that has information about the attack and a link and unique ID to log in to the negotiation chat session with the threat actors.
Subsequently, the ransomware operators demand a ransom and threaten to leak data if payment is not made in seven days, and promise to secure data after a ransom is paid. Unfortunately, the encryption algorithm is secure and there is no way to recover files for free. The data extortion part of these attacks is conducted on the 'Black Basta Blog' or 'Basta News' Tor site, which contains a list of all victims who have not paid a ransom.