The ransomware-as-a-service (RaaS) Black Basta has struck 50 victims in the U.S., Canada, the U.K., Australia, and New Zealand within two months of its emergence in the cybersecurity landscape.
The speed at which it has accumulated victims in such a short time frame has made it a prominent new threat for the cybersecurity of governments and a range of different industries.
“Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers, and more,” Cybereason said in a report.
Most recently the RaaS syndicate added Elbit Systems of America, a manufacturer of defense, aerospace, and security solutions, to its list of victims.
Similar to other ransomware operations, Black Basta is known to employ the tried-and-tested tactic of double extortion to plunder sensitive information from the targets and threaten to publish the stolen data unless a digital payment is made.
Intrusions involving the threat have also leveraged QBot as a conduit to maintain persistence on the compromised hosts and harvest credentials, before moving laterally across the network and deploying the file-encrypting malware
The Black Basta group is suspected to have been formed from the remnants of the Conti Group, an infamous ransomware group which decreased its activity after increased law enforcement scrutiny.
The Conti Group has denied involvement and last week shut down their last remaining public-facing infrastructure
According to a comprehensive report from Group-IB detailing its activities, the Conti group is believed to have victimized more than 850 entities since it was first observed in February 2020.
Dubbed “ARMattack” by the Singapore-headquartered company, the intrusions were primarily directed against U.S. organizations (37%), followed by Germany (3%), Switzerland (2%), the U.A.E. (2%), the Netherlands, Spain, France, the Czech Republic, Sweden, Denmark, and India (1% each).
“Conti’s increased activity and the data leak suggest that ransomware is no longer a game between average malware developers, but an illicit RaaS industry that gives jobs to hundreds of cybercriminals worldwide with various specializations,” Group-IB’s Ivan Pisarev said.