Don’t let this new ransomware group fade your business to black. BlackBasta, a ransomware group on the rise, has been increasingly active over the past month – that behavior is likely only to continue. Lodestone has observed a number of tactics and targets related to this group that may help your company better protect itself against this new threat. While the name this group operates under is new, intelligence suggests that they are a rebrand of the prolific Conti group that recently shut down but continues to lead other groups. BlackBasta’s leak site is very similar to Conti’s, and the groups share the same victim recovery portals, payment sites, and negotiation styles. If the frequency and consistency of their attacks thus far are any indication, BlackBasta is here to stay for quite some time.
Independent analysis from Lodestone and third-party reports indicate that BlackBasta utilizes trojan malware known as Qakbot. Often introduced into victim’s environments via phishing, Qakbot contains numerous functions that enable key threat actor behaviors like lateral movement and privilege escalation.
BlackBasta’s recent phishing campaigns have been centered on tricking unwitting users into opening an HTML attachment in an email, causing the automatic download of the Qakbot malware. The contents of these emails are simple, asking users to “look at the attachment requested” or similar. It should be noted that tactics and content associated with phishing emails frequently change, however.
Lodestone recommends that organizations strengthen their security postures against this active ransomware threat by:
- Improving user security awareness, especially towards phishing attacks.
- Investing in or reviewing the configurations of email protections and filters.
- Investing in or reviewing the configurations of endpoint detection and response (EDR) software.
- Following a security model that aligns with the Principle of Least Privilege (i.e., giving users access to only what they need to complete their work).
Malwarebytes provides companies using ESXi virtual machines (VMs) with steps to better protect their Linux servers against BlackBasta ransomware attacks. Lodestone recommends that you review all relevant security controls and follow VMware’s general security recommendations for ESXi VMs.
Ransomware group Lockbit has debuted Lockbit 3.0, with what may be an upcoming standard for similar threat actors, including the ability for anyone to purchase a victim’s stolen data as soon as it is posted. Lodestone predicts that ransomware actors will continue to up the ante on the extortion of data stolen during ransomware attacks.
Microsoft has updated its guidance on securing domain controllers. Lodestone recommends that you review your domain controller security controls and consider these Microsoft-approved practices.
The Cybersecurity and Infrastructure Security Agency (CISA) has released an alert on the continued exploitation of Log4J vulnerabilities on VMware Horizon systems. Lodestone has also observed a continued usage of these vulnerabilities in attacks and recommends that any organization with VMware Horizon immediately patch these systems and review related security controls.