Cybereason, the XDR company, has issued a global threat alert advisory warning global organizations about an increase in Black Basta ransomware attacks.
The Black Basta gang emerged in April 2022 and has victimized nearly 50 businesses in the United States, United Kingdom, Australia, New Zealand, and Canada. Organizations in English-speaking countries appear to be targets. Cybereason rates ransomware attacks against global organizations as HIGHLY SEVERE today.
“Since Black Basta is relatively new, not a lot is known about the group. Due to their rapid ascension and the precision of their attacks, Black Basta is likely operated by former members of the defunct Conti and REvil gangs, the two most profitable ransomware gangs in 2021,” said Lior Div, Cybereason CEO and Co-founder.
Black Basta has used the double extortion scheme on their victims, with some of their ransom demands exceeding $1 million. Attackers use double extortion to breach a victim’s network, steal sensitive information by moving laterally through organizations, and threaten to publish the stolen data unless the ransom demand is met.
Ransomware attacks are preventable. Cybereason makes the following recommendations to organizations to reduce their risks:
Practicing good security hygiene like implementing a security awareness program for employees, assuring operating systems and other software are regularly updated and patched.
Assuring key players can be reached at any time of day as critical response actions can be delayed during holidays and when attacks occur during off hours and on weekends and holidays.
Conducting periodic table-top exercises and drills and including those beyond the security team like Legal, Human Resources, IT Support and all the way up to the Executive Suite is also key to running a smooth incident response.
Ensuring clear isolation practices are in place to stop any further ingress on the network or spreading of the ransomware to other devices. Teams should be proficient at things like disconnecting a host, locking down a compromised account, and blocking a malicious domain, etc. Testing these procedures with scheduled or unscheduled drills at least every quarter is recommended.
Evaluating lock-down of critical accounts when possible. The path attackers often take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. Teams should create highly secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack.
Deploying EDR on all endpoints. The quickest remedy to the ransomware scourge for public and private sector businesses is deploying EDR on endpoints according toGartner’s Peter Firstbrook. Yet Firstbrook says that only 40 percent of endpoints have EDR.
More information, including a technical breakdown of the attack, can be found at: https://www.cybereason.com/blog/cybereason-vs.-black-basta-ransomware
