There are plenty of threat actors generating big names for themselves by victimizing the industrial sector. And while groups like REvil and LockBit certainly have their place on many Top 10 lists, 2023 had a breakout star amongst the social engineering community. They go by Black Basta.
The Russian-based group reportedly tallied over $107 million from late 2022 through 2023, extorting an estimated 90 companies, including industrial giant ABB. This included a high of $9 million from a single attack, and averaging close to $1.2 million per campaign. This haul has led many Industry researchers to put Black Basta in the top five most active ransomware players.
Of course, these figures are based on reported numbers, which are typically lower than actual. Still, the $107 million total would put them ahead of who is typically seen as the industrial sector’s biggest adversary – LockBit, which “only” brought in a little more $90 million during this same time period.
Background and Tactics
Black Basta is thought to be an offshoot of the notorious Conti Group, which disbanded in early 2023 after a number of law enforcement initiatives shined some unwanted light on many of the group’s members and tactics. Regardless of their current or former brand name, this RaaS (ransomware as a service) group’s calling card is the use of Qakbot malware to carry out double extortion campaigns.
After deploying phishing schemes via email meant to infiltrate the target’s systems and networks, this malware simultaneously extracts and encrypts sensitive data. Unlike traditional ransomware attacks where the paid ransom provides a key for unlocking encrypted data, Black Basta also threatens to release the stolen information unless a ransom is paid. The demanded amount is presumably higher due to the added reputational damage that can be attributed to the attack.
Giving the devil his due, it’s impressive that Black Basta has been able to continue with these tactics even after the infrastructure powering Qakbot’s botnet was seized and disabled by an international operation led by the FBI last summer. Just for clarification, it’s not uncommon for a ransomware group to source their malware from another player and then compensate the provider with a percentage of the ransom obtained – typically around 10 percent.
So, it’s safe to say that those behind Qakbot benefitted significantly from Black Basta’s strong run over the last 18 months. This helps illustrate the strength and complexity of the ever-evolving hacker community.
With the smoke starting to clear from Black Basta’s recent activities, analysts estimate that over 60 percent of those targeted are in the U.S. and at least 35 percent of their victims paid the ransom. This would reinforce the notion that the ransomware business is just like any other service offering - the more people you touch, the more opportunities you’ll realize.
Success Breeds Solutions
Accompanying Black Basta’s rise in revenues was a heightened profile that drew the attention of cybersecurity professionals and researchers. This included Security Research Labs (SRLabs), a leading consulting organization. SRLabs developed a suite of tools it is calling “Black Basta Buster.” Published on GitHub, the tools enable security teams to analyze files encrypted by Black Basta to determine if they can be recovered, and then assist with the decryption process.
Unfortunately, there are limitations. First, files smaller than 5KB cannot be recovered. And for files larger than 1GB, only the first 5KB can be regained. The sweet spot is those files between 5KB and 1GB, where full recovery can be realized. The other downside, of course, is that by publishing these tools, Black Basta and their cohorts can use that knowledge to upgrade their malware, and the chase is renewed.
At the end of the day, the best defense against any hacker group is to continue focusing on the basics, the low-hanging fruit, the blocking and tackling of cybersecurity that will make the attacker’s job that much more difficult. While Black Basta has been able to realize a historic amount of criminal success, they were also unsuccessful in their extortion attempts two out of every three times.
The tools, the guidance, the frameworks, and the strategies are all out there for the industrial cybersecurity community. Understand where your data priorities lie, and continue to evolve your defenses in keeping pace with your growing number of adversaries.
