X-Industry

The Black Basta group is a Ransomware-as-a-Service (RaaS) provider that has been in operation since at least April of 2022.  The group is believed to be comprised of former members of the ransomware groups Conti and REvil.  The reason for this belief is driven by several factors, such as the similarities in their tactics and their rapid integration into the cybercriminal ecosystem.

Black Basta is credited as having victimized over 500 organizations.  In the first quarter of 2024, the group had c

A recent Chainalysis report indicates that 2024 is set to be the highest-grossing year for ransomware payments.  2023 is the current record holder in that regard, surpassing the $1 billion dollar mark, which was an interesting development given the significant decline in ransomware payments that occurred in 2022.  In the chart we have below, we can see a clear trendline indicating an increasing trend since 2019.  In hindsight, it may be more useful to view 2022 as an anomaly.  The mid-year total

US Cyber authorities are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure  sectors, including the Healthcare and Public Health (HPH) Sector.  This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting.

Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022.  Black Basta affiliate

With half of 2023 over, ransomware gangs have operated at a near-record profit, extorting more than $449 million from victims, according to blockchain research firm Chainalysis.  The figure likely pales in comparison to the actual totals because the research only looks at cryptocurrency wallets being monitored by the firm.  If the trends continue, ransomware groups are on pace to bring in nearly $900 million in 2023, only $40 million behind the peak of $939.9 million seen in 2021.

Chainalysis re

Black Basta ransomware has made headlines for allegedly compromising high-profile European and North American organizations across a variety of industries, such as outsourcing, technology, and manufacturing.  The history of Black Basta ransomware dates to at least April 2022, with a professional organizations company in the United States being one of its first victims. Since then, Black Basta has slowly expanded their operations, with the group allegedly compromising and stealing data from a US

A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to nefarious use by the now-defunct Conti ransomware gang members, indicating collaboration between the two crews.  The malware, named Domino, is primarily designed to facilitate follow-on exploitation of compromised systems, including delivering a lesser-known information stealer that has been advertised for sale on the dark web since December 2021.

Former TrickBot/Conti syndicate me

The Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the US, Canada, the UK, Australia, and New Zealand within two months of its emergence in the wild, making it a prominent threat in a short window.  "Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers, and more," Cybereason said in a repo

Activity Summary - Week Ending on 13 May 2022:

• Red Sky Alliance identified 35,648 connections from new IP’s checking in with our Sinkholes
• MS in Sydney Australia hit 134x
• Analysts identified 1,442 new IP addresses participating in various Botnets
• Black Basta
• Stonefly APT
• Magnus & Grim
• Exploits in Ransomware used to Block Encryption
• Risk-Based Cyber Security in the UK
• Passwords
• Ransomware Evolution

Link to full report: IR-22-133-001_weekly133.pdf

Black Basta, a new ransomware group, has made their presence felt by claiming responsibility for twelve ransomware attacks in the month of April.   Black Basta, like many other ransomware operations, uses double-extortion tactics, stealing victim data before encrypting systems to leverage payment.  The group then uses their Tor site and slowly leaks victim data, applying pressure to victims to pay the ransom for the decryption key.  Notable targets from the first stretch of attacks include the A