BlackBasta infiltrated 2 more companies recently, one based in UK and the other in Japan. The attacks were coordinated and took place a day apart.
BlackBasta shows a predilection for attacking US, Canadian, and Japanese targets, although UK, Australia, and New Zealand are also on the hit list. The organization is extremely active and effective, managing to reach 100 victims in the first few months.
This qualifies BlackBasta as a highly resourceful ransomware actor. Unlike other ransomware organizations, BlackBasta values accuracy and premeditation rather than shooting in the dark.
Many ransomware groups prefer to attack in bulk and hope that sometimes stick. This can be a waste of resources, which isn’t necessarily a problem if most of the attacks are successful and some victims pay the ransom. But BlackBasta operates differently.
Rather than shooting arrows in the dark, the group analyzes the market and finds the best opportunities available. They always assess the victim’s profile and analyze its vulnerabilities to increase the likelihood of successful breach.
We believe security online security matters and its our mission to make it a safer place.
BlackBasta first emerged in the first trimester of 2022 and quickly grew from there. The organization appeared to be very resourceful, competent, and active, which was unusual for newcomers. Everything started to make sense soon.
Independent investigation groups found code similarities between BlackBasta and Conti, one of the most infamous and powerful ransomware actors. With Conti vanished from the public sphere, the natural assumption was that BlacBasta was its successor.
The organization’s MO and code structure are similar to those of Conti, but the group soon took on its own identity. BlackBasta relies on the double-extortion tactic, encrypting parent files and cloning and exfiltration relevant data.
The victim also receives a ransom note with instructions regarding how to contact a BlackBasta representative for negotiations. These always take place on a TOR network, which makes tracking the attacker virtually impossible.
The victim has the option to pay the ransom or refuse, in which case the attacker will publish the stolen data publicly. It’s not clear whether the 2 victims today chose to pay, but the ransom notes state that they have up to a week to do so.