Researchers tie Black Basta ransomware to the FIN7 threat actor


Well-resourced threat actors behind the Black Basta ransomware are linked to the FIN7, a financially motivated group active since 2012, SentinelLabs researchers said.

"Individuals behind Black Basta ransomware develop and maintain their own toolkit and either exclude affiliates or only collaborate with a limited and trusted set of affiliates," researchers said.

ADVERTISEMENT

Black Basta emerged in April 2022 and has already breached over 90 organizations. The speed and volume of attacks let researchers assume that the threat actors behind the ransomware family are well-organized and well-resourced.

There have been no indications of Black Basta's attempts to recruit affiliates or advertise as a ransomware-as-a-service (RaaS) on the darknet. It has led to speculation about the identity and operation of the ransomware group.

SentinelLabs research assesses that Black Basta has ties with FIN7, also known as Carbanak, active since 2012.

Initially, FIN7 used Point of Sale (PoS) malware for financial fraud before switching to ransomware in 2020. They affiliate with REvil and Conti, and conduct their operations: first as Darkside and later rebranding to BlackMatter.

"It's likely that FIN7 or an affiliate began writing tools from scratch to disassociate their new operations from the old," SentinelLabs said.

For example, it assesses that the threat actor developing the defense impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations.

"We aren't surprised to see a familiar face behind this ambitious closed-door operation. While there are many new faces and diverse threats in the ransomware and double extortion space, we expect to see the existing professional criminal outfits putting their own spin on maximizing illicit profits in new ways," researchers said.

A recent report on ransomware by the cybersecurity company Deep Instinct noted that so-called Conti splinters – Quantum, Black Basta, and BlackByte groups – are among the most prevalent ransomware campaigns in 2022.

ADVERTISEMENT

All three are former affiliates and share many similarities to the former Conti operation.

"They appeared on the landscape in "guns blazing" fashion, each already responsible for numerous high-profile breaches," Deep Instinct said.