Researchers tie Black Basta ransomware to the FIN7 threat actor

Well-resourced threat actors behind the Black Basta ransomware are linked to the FIN7, a financially motivated group active since 2012, SentinelLabs researchers said.

"Individuals behind Black Basta ransomware develop and maintain their own toolkit and either exclude affiliates or only collaborate with a limited and trusted set of affiliates," researchers said.

Black Basta emerged in April 2022 and has already breached over 90 organizations. The speed and volume of attacks let researchers assume that the threat actors behind the ransomware family are well-organized and well-resourced.

There have been no indications of Black Basta's attempts to recruit affiliates or advertise as a ransomware-as-a-service (RaaS) on the darknet. It has led to speculation about the identity and operation of the ransomware group.

SentinelLabs research assesses that Black Basta has ties with FIN7, also known as Carbanak, active since 2012.

Initially, FIN7 used Point of Sale (PoS) malware for financial fraud before switching to ransomware in 2020. They affiliate with REvil and Conti, and conduct their operations: first as Darkside and later rebranding to BlackMatter.

"It's likely that FIN7 or an affiliate began writing tools from scratch to disassociate their new operations from the old," SentinelLabs said.

For example, it assesses that the threat actor developing the defense impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations.

"We aren't surprised to see a familiar face behind this ambitious closed-door operation. While there are many new faces and diverse threats in the ransomware and double extortion space, we expect to see the existing professional criminal outfits putting their own spin on maximizing illicit profits in new ways," researchers said.

A recent report on ransomware by the cybersecurity company Deep Instinct noted that so-called Conti splinters – Quantum, Black Basta, and BlackByte groups – are among the most prevalent ransomware campaigns in 2022.

All three are former affiliates and share many similarities to the former Conti operation.

"They appeared on the landscape in "guns blazing" fashion, each already responsible for numerous high-profile breaches," Deep Instinct said.

More from Cybernews:

Black Basta: a new ransomware group or a Conti faction?

LockBit ransomware might not last, but its business model will

Russia’s state-owned bank claims to have fought cyberattack involving “at least 104k hackers and 30k devices”

Star Trek-style quantum teleportation: we are getting closer

Twitter’s new verification policy sets off an avalanche of phishing attacks

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked