Security News > 2024 > May > Black Basta target orgs with new social engineering campaign

The advisory lists indicators of compromise associated with Black Basta ransomware attacks and offers advice for organizations.

Rapid7 analysts have also shared the latest social engineering trick by the Black Basta operators: they spam targets' inbox with junk email, then phone them posing as a member of their organization's IT team, and offer assistance.

"In one observed case, once the initial compromise was completed, the threat actor then attempted to move laterally throughout the environment via SMB using Impacket, and ultimately failed to deploy Cobalt Strike despite several attempts. While Rapid7 did not observe successful data exfiltration or ransomware deployment in any of our investigations, the indicators of compromise found via forensic analysis conducted by Rapid7 are consistent with the Black Basta ransomware group based on internal and open source intelligence."

The Russian-speaking Black Basta group is believed to have been started by former members of the infamous Conti ransomware collective, which dissolved in May 2022.

In late 2023, Elliptic and Corvus Insurance pinpointed "At least $107 million in Bitcoin ransom payments to the Black Basta ransomware group since early 2022," and said that blockchain transactions form a clear link between Black Basta and Conti.

Unlike some ransomware groups, Black Basta does not outright define the ransom amount to be paid.

News URL

https://www.helpnetsecurity.com/2024/05/13/black-basta-social-engineering/