IBM Security X-Force has been keeping an eye on Black Basta, the latest ransomware gang that first surfaced in April 2022. Until now, Black Basta has claimed to attack over 29 different targets in various industries via double extortion techniques. In double extortion, the threat actors execute ransomware along with stealing data and blackmail to post it publicly unless their ransom demands are not met.
The data discourse points of these ransomware attacks take place on a data leak website called Tor network. To make the victim pay the ransom, the Black Basta group progressively publishes the stolen data on the leak site. The group is still in the early phase of its organization, X-Force has not found any pieces of evidence of distributing the malware or hiring threat actors on underground platforms or the dark web.
Due to similarities in operations and no affiliation attempts, experts believe that the Black Basta group is a new version of Conti gan, infamous ransomware groups already having various affiliates. But Conti group recently announced that it has no links with the Black Basta ransomware group. X-Force is currently finding the relationship between these two.
Black Basta ransomware gang works at a very high pace, it hardly alerts the cybersecurity defenders and by the time they realize, the damage has already been done. Experts say it doesn't seem that Black Basta is attacking specific industries or verticals. But for organizations that collect data in large quantities can become a victim of extortion attacks like personally identifiable information (PII), financial credentials, sensitive information, etc are easy targets for attackers.
Concerned users can read IBM X-Force Definitive Guide to Ransomware and follow some basic guidelines:
- Having routine backups, both online and offline, a robust backup mechanism helps in recovery from a ransomware attack.
- Build a plan to protect against unauthorized data theft, especially as it concerns uploading vast amounts of data to trusted cloud platforms that threat actors might exploit.
- Apply user behavior analytics to predict security incidents. If triggered, assume a breach happened- audit, monitor, and act quickly on the attack associated with privileged accounts and groups.
- Implement two-factor authentication on each remote access point into an organization network- special attention should be given to disabling or secure remote desktop protocol (RDP) access. Various ransomware attacks in the past were able to exploit weak RDP access to have early access into a network.