Black Basta Ransomware Group Going After New Targets: Report

Security researchers with Cybereason have warned that the Black Basta ransomware-as-a-service group has been observed targeting manufacturing, construction, pharmaceuticals and other industries, in the latest update of the new threat group. Additionally, the ransomware syndicate has developed a Linux variant, designed to attack VMware ESXI virtual machines running on enterprise servers.

Chris Olson, CEO, The Media Trust had this to say:

“Today, data breaches aren’t just about stealing sensitive data for financial gain: they are also a danger to public safety. On average, cyber defenders have less than an hour to stop a ransomware event in progress. In addition to virtualization and cloud computing software, web and mobile apps are increasingly targeted by cyber actors using sophisticated techniques such as obfuscated and polymorphic code to dodge blockers or URL filters. Businesses must pivot to prevention over treatment, monitoring IT and digital infrastructure in real time while working to harden entry points.”

I’ve written about the fact that you have less than an hour to stop a ransomware attack here. That alone makes defending against these attacks a must. I would read the warning and my previous story so that you can harden your enterprise accordingly.

UPDATE: I have additional commentary from Jake Williams who is the Executive Director of Cyber Threat Intelligence for SCYTHE:

The Black Basta threat group is a capable player in ransomware operations. Their capability to encrypt ESXi servers underscores the necessity of security access to hypervisor systems. While Black Basts isn’t the first to develop capabilities against ESXi (LockBit, Hive, and Cheerscrypt already have demonstrated ESXi capabilities), this shows the relative sophistication of the teams working under Black Basta performing the ransomware operations. 

Use of commodity malware like Qakbot demonstrates that there is no such thing as a “commodity” malware infection. Organizations must treat every malware detection as an opportunity for a threat actor to deploy ransomware. Black Basta highlights just how damaging the outcome can be if commodity malware infections are ignored simply because they were “mitigated” by endpoint protection platforms. Other threat actor malware can be – and often is – in the network.

And I have additional commentary from Robert Shaughnessy, VP, Federal for GRIMM:

“Ransomware-as-a-service (RaaS), including groups like “Black Basta,” is a fast-growing business, with comparisons being made to traditional Software-as-a-Service (SaaS) offerings. It may be more accurate to think of groups like Black Basta as loosely affiliated criminal gangs forming from the leftovers of larger organized criminal organizations. Conti, for example, has been broken up as if a lockpick, alarm specialist, appraiser, and accountant who met in prison decided to rob houses together. Enterprises are the houses, and their data are the jewels. Like home invaders, the Black Basta syndicate is looking for enterprises with a combination of valuable data and vulnerable defenses. With Black Basta, the current thinking is it was formed from former members of Conti and REvil, the leading Ransomware gangs from 2021, and leveraging partnerships including with the QBot malware. As reported recently by Nathan Eddy, writing for DARKReading (, one interesting feature of Black Basta is a trend toward encrypting Virtual Machines (VMs) via the VM ESXi hypervisor. Leveraging larger servers, typically acting as ESXi hypervisor host machines, provides Black Basta with access to much more powerful processing and memory pools than a single workstation would typically have, resulting in faster encryption times and reducing the overall Time to Ransom. This makes it substantially harder for defenders to detect, isolate, and remediate attacks. Even though emerging ransomware gangs are beginning to use novel Tools, Techniques, and Procedures (TTPs), including VM hypervisor attacks, they are not invincible. As with most ransomware campaigns, a good defense against Black Basta starts with basic cyber hygiene: conduct regular in-depth threat assessments, ensure complete enterprise visibility, keep all systems properly patched, employ a zero-trust model across the enterprise, and closely monitor systems for the earliest signs of atypical utilization and access rights modifications.”

Leave a Reply