Last week, Kela published a new report on the Black Basta leak, revealing its inner workings.
As expected, since the publication of our report, KELA’s Cyber Intelligence Centre has obtained new information and analysis on the targeting of victims in Black Basta’s reconnaissance strategies.
KELA found that at least 11% of the ZoomInfo links shared in Black Basta communications were subsequently associated with companies that appeared as confirmed victims of the ransomware, such as ZircoDATA , Beko Technologies , Duty Free Americas , Fortive Corporation , Peco Foods and many more. It is worth noting that the average number of days between the time a victim’s ZoomInfo profile was first discussed in Black Basta’s internal chats and the time it was published on the ransomware’s blog is approximately 75 days.
Over the years of Black Basta’s activity, KELA has tracked more than 600 ransomware victims from this group, of which almost 60% were in the US, followed by 12% in Germany, 8% in the UK and 7% in Canada. In terms of industry, one in four victims were in the manufacturing sector, while almost one in five were in the professional services sector. In the leaked Black Basta chats, KELA identified at least 368 companies whose ZoomInfo profiles were referenced, and approximately 42 companies (11%) were subsequently confirmed to have been breached.
Tracking an attack: from initial access to sale to ransomware attack
First access
On 5 February 2024, an initial discussion of the Australian company ZircoDATA appeared, with information about its Citrix environment and cloud infrastructure, as well as credentials. It included a link to a ZoomInfo business profile of ZircoDATA, which mentioned approximately 663 PCs and suggested possible reconnaissance or enumeration activities.
Interestingly, only a few days earlier, on 24 January 2024, the threat actor ‘crypmans’ offered access to ZircoDATA for sale on the exploit forum. KELA had previously identified the victim based on a match between the actor’s description and publicly available information about the company. The actor specified the account as RDP and claimed to have the same number of PCs, possibly meaning that Black Basta had purchased this account to launch his attack. The account was put up for auction, with a starting bid of $1500, and sold later that day.
Lateral movement
Two hours after Black Basta first talked about ZircoDATA, more ZircoDATA credentials were shared, apparently with different users of the same resource. Just six hours later, another Black Basta member shared the same message with the note ‘DONE’, possibly indicating that the gang had gained initial access to the network. Over the next few days, the attackers shared several ZircoDATA credentials with different services.
On 8 February, the attackers commented that they needed to prepare a blog post to threaten victims, noting that the data exfiltration and ransomware deployment had been completed.
Claiming responsibility for the attack and leaking the data
On 22 February 2024, ZircoDATA was published as a victim on Black Basta’s blog, presumably after negotiations had failed. In his blog posts, Black Basta was seen bragging about having stolen 395GB of files from ZircoDATA. In May 2024, it was revealed that the data included 4000 documents from the Monash Medical Centre, including records relating to family violence and sexual support clinics, and 60,000 documents relating to Melbourne Polytechnic students.
Recommendations
This example shows how monitoring network access sales can help prevent a major attack.
Despite KELA’s efforts to date, organisations may still be at risk. If you would like to confirm whether your organisation has been mentioned in the Black Basta chats, please contact the KELA team.
The Black Basta report is also available here and next week you can join an exclusive webinar where Irina Nesterovsky, Research Director, will discuss Black Basta’s latest tactics, their attack manual and what you can do now to stay ahead of the curve. The registration link will be available shortly.
Read the full article here.
