Back in Black: Blackbasta Ransomware
Beazley Security has observed a number of tactics and targets related to this group that may help your company better protect itself against this new threat.
Don’t let this new ransomware group fade your business to black. BlackBasta, a ransomware group on the rise, has been increasingly active over the past month – that behavior is likely only to continue. Beazley Security has observed a number of tactics and targets related to this group that may help your company better protect itself against this new threat. While the name this group operates under is new, intelligence suggests that they are a rebrand of the prolific Conti group that recently shut down but continues to lead other groups. BlackBasta’s leak site is very similar to Conti’s, and the groups share the same victim recovery portals, payment sites, and negotiation styles. If the frequency and consistency of their attacks thus far are any indication, BlackBasta is here to stay for quite some time.
Independent analysis from Beazley Security and third-party reports indicate that BlackBasta utilizes trojan malware known as Qakbot. Often introduced into victim’s environments via phishing, Qakbot contains numerous functions that enable key threat actor behaviors like lateral movement and privilege escalation.
BlackBasta’s recent phishing campaigns have been centered on tricking unwitting users into opening an HTML attachment in an email, causing the automatic download of the Qakbot malware. The contents of these emails are simple, asking users to “look at the attachment requested” or similar. It should be noted that tactics and content associated with phishing emails frequently change, however.
Beazley Security recommends that organizations strengthen their security postures against this active ransomware threat by:
- Improving user security awareness, especially towards phishing attacks.
- Investing in or reviewing the configurations of email protections and filters.
- Investing in or reviewing the configurations of endpoint detection and response (EDR) software.
- Following a security model that aligns with the Principle of Least Privilege (i.e., giving users access to only what they need to complete their work).
Blackbasta is the latest ransomware to target ESXI virtual machines in Linux
Malwarebytes provides companies using ESXi virtual machines (VMs) with steps to better protect their Linux servers against BlackBasta ransomware attacks. Beazley Security recommends that you review all relevant security controls and follow VMware’s general security recommendations for ESXi VMs.
Lockbit 3.0 launces the very first ransomware bug bounty program
Ransomware group Lockbit has debuted Lockbit 3.0, with what may be an upcoming standard for similar threat actors, including the ability for anyone to purchase a victim’s stolen data as soon as it is posted. Beazley Security predicts that ransomware actors will continue to up the ante on the extortion of data stolen during ransomware attacks.
Securing domain controllers against attack
Microsoft has updated its guidance on securing domain controllers. Beazley Security recommends that you review your domain controller security controls and consider these Microsoft-approved practices.
Malicious cyber actors continue to exploit Log4Shell IN VMware Horizon Systems
The Cyber security and Infrastructure Security Agency (CISA) has released an alert on the continued exploitation of Log4J vulnerabilities on VMware Horizon systems. Beazley Security has also observed a continued usage of these vulnerabilities in attacks and recommends that any organization with VMware Horizon immediately patch these systems and review related security controls.
"BlackBasta’s leak site is very similar to Conti’s, and the groups share the same victim recovery portals, payment sites, and negotiation styles."
"BlackBasta’s recent phishing campaigns have been centered on tricking unwitting users into opening an HTML attachment in an email, causing the automatic download of the Qakbot malware."