With 26 victims on the list, the Black Basta ransomware gang has been gaining traction. But who are they – a Conti copycat or an emerging independent group?
The report by Cyberint finds that Black Basta is primarily targeting the industrial, retail, and real-estate sectors across the United States and rich European countries, such as Germany and the Netherlands.
Their attack vectors include malspam, where an email with a business inquiry invites the recipient to open an attachment, and insider threats. In the second case, malicious actors turn to darknet forums to look for insiders. Black Basta has already been noticed in the dark web, eager to buy access to companies from their employees.
After gaining initial access, the group deletes shadow copies in the OS, preventing victims from recovering encrypted files. This encourages the company to pay a ransom swiftly to resume operations.
Threat actors then encrypt all organization’s files except for the most essential ones like the readme files. They receive the .basta file extension and a customized icon.
The generated readme files are then used to communicate the ransom request message to the company. They include the address of the group’s Onion page and the victim’s ID for further talks. Once directed to the page, a victim is greeted with a negotiation window, where they are required to insert the assigned ID.
Their relation to Conti – a ransomware gang associated with Russia – has been up for debate. The similarity in the websites prompted speculations that Black Basta is a rebranded version of Conti or a faction that branched out.
“The Cyberint Research Team is not convinced these similarities are enough to determine that one group is connected to another. However, we cannot deny that some members might know each other from past experience, given the mutual origin of the groups,” the report suggests.
Conti themselves have denied the association with Black Basta during the “For Peru” campaign.
More from Cybernews:
Subscribe to our newsletter