The Black Basta ransomware group and its affiliates compromised hundreds of organizations worldwide between April 2022 and May 2024, according to a new report from several US government agencies.
The Joint Cybersecurity Advisory (CSA) was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
It claimed that Black Basta attacks have impacted more than 500 organizations in North America, Europe and Australia. They led to the encryption and theft of data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.
Victim organizations over this time include UK utility Southern Water and outsourcing giant Capita, as well as the American Dental Association (ADA) and government contractor ABB.
Read more on Black Basta: Black Basta Ransomware Decryptor Published
It’s unclear how much money the group has made over the period from its victims, but a November 2023 analysis of Bitcoin transactions estimated over $100m since April 2022.
The CSA includes TTPs and IOCs obtained from FBI investigations and third-party reporting, as well as a useful list of mitigations for network defenders designed to help them improve security posture.
It recommended critical infrastructure organizations take three actions immediately to mitigate the threat of attack from Black Basta:
- Install OS, software and firmware updates as soon as they are released
- Deploy phishing-resistant multi-factor authentication (MFA) for as many services as possible
- Train users to recognize and report phishing attempts
It’s long been suspected that Black Basta is an offshoot of Conti, a prolific ransomware group which ceased operating just before Black Basta appeared. A November 2023 Bitcoin analysis from insurer Corvus highlighted significant crossover between the two groups – with both targeting manufacturing, construction/engineering, wholesale/retail, financial services, and transportation and logistics firms.
Black Basta prefers popular initial access techniques such as phishing and exploitation of known vulnerabilities, before deploying a double extortion model.