BlackBasta Ransomware Attacks 2 in UK and Japan
BlackBasta infiltrated 2 more companies recently, one based in UK and the other in Japan. The attacks were coordinated and took place a day apart.
- The victims are high-end providers in their respective fields with millions of national and international clients
- Southern Water provides water services to millions of customers across the UK, while Asahi Glass (ASG) ranks as the first sheet glass manufacturer
- BlackBasta targeted the 2 companies with powerful ransomware tools, managing to secure confidential information
- Neither of the 2 companies came publicly to comment the incident
BlackBasta shows a predilection for attacking US, Canadian, and Japanese targets, although UK, Australia, and New Zealand are also on the hit list. The organization is extremely active and effective, managing to reach 100 victims in the first few months.
This qualifies BlackBasta as a highly resourceful ransomware actor. Unlike other ransomware organizations, BlackBasta values accuracy and premeditation rather than shooting in the dark.
Many ransomware groups prefer to attack in bulk and hope that sometimes stick. This can be a waste of resources, which isn’t necessarily a problem if most of the attacks are successful and some victims pay the ransom. But BlackBasta operates differently.
Rather than shooting arrows in the dark, the group analyzes the market and finds the best opportunities available. They always assess the victim’s profile and analyze its vulnerabilities to increase the likelihood of successful breach.
Our Mission
We believe security online security matters and its our mission to make it a safer place.
Who Is BlackBasta?
BlackBasta first emerged in the first trimester of 2022 and quickly grew from there. The organization appeared to be very resourceful, competent, and active, which was unusual for newcomers. Everything started to make sense soon.
Independent investigation groups found code similarities between BlackBasta and Conti, one of the most infamous and powerful ransomware actors. With Conti vanished from the public sphere, the natural assumption was that BlacBasta was its successor.
The organization’s MO and code structure are similar to those of Conti, but the group soon took on its own identity. BlackBasta relies on the double-extortion tactic, encrypting parent files and cloning and exfiltration relevant data.
The victim also receives a ransom note with instructions regarding how to contact a BlackBasta representative for negotiations. These always take place on a TOR network, which makes tracking the attacker virtually impossible.
The victim has the option to pay the ransom or refuse, in which case the attacker will publish the stolen data publicly. It’s not clear whether the 2 victims today chose to pay, but the ransom notes state that they have up to a week to do so.