Black Basta Ransomware

The technology company ABB was attacked with ransomware in May 2023 by the Black Basta group, which operates as a ransomware-as-a-service (RaaS).

A group of cybercriminals that has become well-known over the past two years for launching attacks against companies such as the American Dental Association, Sobeys, Knauf, among others.

It was speculated at the time that the tools used by Black Basta to launch their cyberattacks could be related to the Russian cybercriminal group FIN7 due to their similarities. Additionally, the involvement of former members of the disbanded Conti group was also considered.

¿What is their modus operandi?

Black Basta employs double extortion tactics, using tools such as the Qakbot Trojan, as well as leveraging vulnerabilities like PrintNightmare, ZeroLogon, and NoPac to gain escalated privileges.

PrintNightmare

PrintNightmare is a vulnerability that affects the Windows print service. It allows the attacker to remotely execute code on Windows systems and obtain elevated privileges.

This vulnerability became widely known in 2021 because information about it was leaked before Microsoft could issue a security patch.

ZeroLogon

ZeroLogon is a critical vulnerability that affects the NetLogon protocol on Windows Server systems. It allows cybercriminals to conduct a 'privilege escalation' attack and gain administrator access to a domain controller.

For example, a cybercriminal could use ZeroLogon to compromise a Windows domain to modify user accounts or install malware.

NoPAC

NoPAC is a technique that exploits Windows network functions to conduct traffic redirection attacks and capture data.

'NoPAC' stands for 'No Proxy Auto Configuration,' and the exploit focuses on manipulating the proxy settings of a Windows system to route traffic through a server controlled by the attacker.

One of the most notable features of this ransomware is the use of Evasion tools for EDR (Endpoint Detection and Response), capable of bypassing security systems like Windows Defender.

Cybercriminals launch their attacks using the Qakbot Trojan, developed to steal personal information, which is executed through emails.

How to protect yourself against the Black Basta ransomware?

Like any ransomware threat, protecting against 'Black Basta' requires a combination of preventative and incident response solutions.

• Keep operating systems as well as applications and software updated.

• Use cybersecurity solutions such as antivirus, anti-phishing, firewall, etc.

• Have a backup system in place.

• Access control and permission management to prevent data leaks.

• Perform regular security monitoring.

• Have a cybersecurity strategy, an information security policy, and a ransomware response plan in place.

At ESED, as specialists in cybersecurity, we offer solutions to help you protect your most valuable asset, your data.

You can contact our team of experts at the following link.