Cybereason Issues ‘Highly Severe’ Black Basta Ransomware Warning

Cybereason is warning global organizations about a rise in ransomware attacks from the new Black Basta gang.

The Black Basta gang emerged in April. Since then, it has victimized nearly 50 companies in the United States, United Kingdom, Australia, New Zealand and Canada. Organizations in English-speaking countries appear to be targets.

Cybereason assesses the threat level of Black Basta ransomware attacks against global organizations as highly severe.

Black Basta has been using the double extortion scheme on its victims. In addition, some of their ransom demands have exceeded $1 million.

Double extortion works when attackers penetrate a victim’s network, steal sensitive information by moving laterally through organizations and threaten to publish the stolen data unless the ransom demand is paid.

Black Basta an ‘All-Star’ Ransomware

Lior Rochberger is senior security researcher at Cybereason.

Cybereason’s Lior Rochberger

“Black Basta has unique and unseen before features. And what’s interesting, and what makes this ransomware so dangerous, is that the operators behind it seem to not only know what they are doing, but to follow other well-known and notorious groups such as the Conti Group and REvil,” she said. “In fact, many are speculating that Black Basta ransomware was developed by former members of Conti and REvil, which contributes to it being an ‘all-star’ ransomware.”

Some attackers take up to a few days to move laterally inside the network, and collect data and exfiltrate it, Rochberger said. If that is the case, it leaves more time for defenders to detect the anomalous behavior and stop the adversary.

“The problem starts when there is a short time to ransom (TTR) that can be even just a few hours,” she said. “This leaves a short window for defenders to successfully defend against the threat. What is potentially hard to practice, but can be effective, is to password protect documents and files. This way the adversaries cannot access the content inside them. And the files will be useless for them or for potential buyers.”

Updating Security Tools and Software

There are many things organizations can do to protect themselves from ransomware attacks, Rochberger said. One is ensuring security tools and software are updated regularly with patches and that configurations are correct.

“In addition, organizations should use advanced security tools that can detect and prevent malicious activity based on the behavior and artificial intelligence (AI) rather than static information such as hashes,” she said. “In addition, it is important for organizations to have visibility across their entire network.”

Roger Grimes is data-driven defense evangelist at KnowBe4. He said the most interesting and scary development is the continued growing focus on compromising VMware ESXi virtual hosts.

KnowBe4’s Roger Grimes

“Most corporations are huge into virtual machine (VM) infrastructures, and it’s only growing,” he said. “One compromised VM host can immediately put at risk dozens to hundreds of virtual guest instances. It makes it far easier for a ransomware program or group to do all the double extortion damages, including stealing login credentials, data exfiltration and encryption. Plus, most VM infrastructures use and rely on the same infrastructure to conduct their mission-critical backups. It’s a part of the VM infrastructure and because of that it’s easier to compromise once the VM host is compromised.”

Protecting VM Investments

Compromising a VM host makes it far easier for the attacker to also compromise the involved backups, Grimes said.

“I would go so far as to say that any ransomware program not intentionally targeting VM infrastructures is being highly inefficient and dumb,” he said. “It’s even more important than ever that shops with huge VM investments understand this changing landscape and take the appropriate mitigations.”

Organizations should protect VM infrastructures like the high-risk assets they are, Grimes said.

“They need to require multifactor authentication (MFA) to access them, aggressively patched and aggressively monitored,” he said. “You can’t protect a VM host machine like you do a regular server. Or if you do, you’re just asking for increased risk and far greater chance of significant compromise.”