On Friday, CISA, the FBI, and MS-ISAC released a joint Cybersecurity Advisory (CSA): “#StopRansomware: Black Basta” which provides cybersecurity defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) used by known Black Basta ransomware affiliates.
Overview of Black Basta
Black Basta is a ransomware-as-a-service (RaaS) variant, first identified in April 2022. Black Basta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia. They use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ the all-too-common double-extortion model, both encrypting systems and exfiltrating data.
Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser).
Novel social engineering
Since late April, multiple cases of a novel social engineering campaign have been observed with IOCs representative of Black Basta. In these cases, threat actors sent a large volume of spam emails to targeted users, overwhelming the email protection solutions in place allowing the spam to arrive in the users’ inboxes. Much of the spam isn’t actually malicious in nature, but intended to overwhelm the user, and while struggling with the high level of spam in their inbox, threat actors begin calling posing as a member of their organization’s IT team reaching out to offer support for their email issues. In each case, the threat actor attempted to manipulate the user into providing remote access to their computer through the use of legitimate remote monitoring and management solutions. For more details regarding the novel campaign, visit Rapid7.
CISA and partners encourage organizations to review and implement the mitigations provided in the joint CSA to reduce the likelihood and impact of Black Basta and other ransomware incidents. For more information, see StopRansomware.gov and the #StopRansomware Guide.