“Ransomware-as-a-service (RaaS), including groups like “Black Basta,” is a fast-growing business, with comparisons being made to traditional Software-as-a-Service (SaaS) offerings. It may be more accurate to think of groups like Black Basta as loosely affiliated criminal gangs forming from the leftovers of larger organized criminal organizations. Conti, for example, has been broken up as if a lockpick, alarm specialist, appraiser, and accountant who met in prison decided to rob houses together. Enterprises are the houses, and their data are the jewels. Like home invaders, the Black Basta syndicate is looking for enterprises with a combination of valuable data and vulnerable defenses. With Black Basta, the current thinking is it was formed from former members of Conti and REvil, the leading Ransomware gangs from 2021, and leveraging partnerships including with the QBot malware. As reported recently by Nathan Eddy, writing for DARKReading (https://www.darkreading.com/threat-intelligence/black-basta-ransomware-esxi-servers-active-campaign), one interesting feature of Black Basta is a trend toward encrypting Virtual Machines (VMs) via the VM ESXi hypervisor. Leveraging larger servers, typically acting as ESXi hypervisor host machines, provides Black Basta with access to much more powerful processing and memory pools than a single workstation would typically have, resulting in faster encryption times and reducing the overall Time to Ransom. This makes it substantially harder for defenders to detect, isolate, and remediate attacks. Even though emerging ransomware gangs are beginning to use novel Tools, Techniques, and Procedures (TTPs), including VM hypervisor attacks, they are not invincible. As with most ransomware campaigns, a good defense against Black Basta starts with basic cyber hygiene: conduct regular in-depth threat assessments, ensure complete enterprise visibility, keep all systems properly patched, employ a zero-trust model across the enterprise, and closely monitor systems for the earliest signs of atypical utilization and access rights modifications.”
The Black Basta threat group is a capable player in ransomware operations. Their capability to encrypt ESXi servers underscores the necessity of security access to hypervisor systems. While Black Basts isn’t the first to develop capabilities against ESXi (LockBit, Hive, and Cheerscrypt already have demonstrated ESXi capabilities), this shows the relative sophistication of the teams working under Black Basta performing the ransomware operations.
Use of commodity malware like Qakbot demonstrates that there is no such thing as a “commodity” malware infection. Organizations must treat every malware detection as an opportunity for a threat actor to deploy ransomware. Black Basta highlights just how damaging the outcome can be if commodity malware infections are ignored simply because they were “mitigated” by endpoint protection platforms. Other threat actor malware can be – and often is – in the network.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics