Several documents, including data sheets, payroll payment requesters, ID cards, and an image of the folder that was taken from the victim's systems, were released by the group as evidence of the attack. The claimed incident has not yet been addressed by the company.

Active since April 2022, BlackBasta employs a double-extortion attack technique, just like other ransomware campaigns. Researchers revealed in November 2022 that they had discovered evidence connecting the financially driven APT group FIN7 to the BlackBasta ransomware gang. As part of an ongoing, aggressive attempt to spread QakBot malware, which causes BlackBasta ransomware infections in the US, cybersecurity experts also noticed an increase in QakBot infections the same year.

A QBot infection initiates the attack chain, and then the operators seize control of the machine using the post-exploitation tool Cobalt Strike, finally installing the BlackBasta ransomware. An email containing malicious URL links, classified as spam or phishing, was the initial access vector.

The researchers observed that the threat actor moves quite quickly once they get access to the network. There were instances where the threat actor progressed from obtaining domain administrator rights in less than two hours to deploying ransomware in less than twelve hours.

Impact

• Financial Loss
• Sensitive Data Theft
• Reputational Damage
• Unauthorized Access

Remediation

• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.