BankCard USA Pwned By Black Basta…. And Gets Advice On How Not To Get Pwned After Paying The Ransom

On July 26th, after a month of negotiations, BankCard USA (BUSA) Paid a $50,000 ransom to prevent the release of their stolen files by the ransomware group Black Basta. followed the negotiation chat between BUSA and Black Basta from day one and reports that hundreds of other people were able to follow the evolution of the negotiation live. The entire chat transaction, including samples of the stolen data, was available as it unfolded. The initial ask of $1,5 million dollars was whittled down to $50,000 in bitcoin, and in return for payment, the thieves promised to meet BUSA’s requests: 

  1. Decryptor for all Windows machines;
  2. Non recoverable removal of all downloaded data from their side with deletion log
  3. No publication of any kind
  4. No selling of their data
  5. No giving their data away
  6. Security report on how they were hacked to fix their vulnerabilities and avoid such situations in future.
  7. Guarantee BlackBasta will not attack their company again.

 The ransomware group also provided BUSA with a helpful list of how to prevent future attacks: 

  1. Use sandbox to analyze the contents of letters and their attachments.
  2. Use the password security policies
  3. Make protection from attack like a Pass-the-Hash and Pass-the-ticket attack
  4. Update all OS and software to the latest versions, especially Microsoft Defender Antivirus.
  5. Implement the hardware firewalls with filtering policies, modern DLP and IDS, SIEM systems.
  6. Block kerberoasting attacks
  7. Conduct full penetrations tests and audit
  8. Use and update Anti-virus/anti-malware and malicious traffic detection software
  9. Configure group policies, disable the default administrators accounts, create new accounts.
  10. Backups. They must have offline backups that do not have access to the network.

So, if the whole world can view the process and payment and data shared, just how much faith should victims put in the attacker’s promises?

Carol Volk, EVP, BullWall:

“That’s an awfully expensive consultant they’ve got there! Their list of 10 recommendations is a good start, but as soon as organizations become better at plugging holes, new holes will appear. It’s never-ending. While plugging the holes is important, more effort needs to be put towards containing active attacks; not just trying to prevent them by staying one step ahead of ransomware groups. Imagine if the attack was immediately contained and Black Basta wasn’t able to get the data to begin with?”  

Willy Leichter, PV of Marketing, Cyware   

“Paying a ransom and relying on the integrity of cybercriminals to “return” your data is a dubious strategy. This is still a data breach and requires the same level of public disclosure. Getting the data back may help the bank maintain its operations, but it offers little comfort to the customers whose data has been compromised.     “To improve resiliency, organizations should:

  1. Enable security controls such as multi-factor authentication 
  2. Implement regular security awareness training for employees
  3. Invest in context-rich intelligence and/or partner with intelligence sharing organizations 
  4. Develop, maintain, and run through an organizational incident response plan 
  5. Keep all systems patched and software updated”

Stephen Gates, Principal Security SME,   

“According to the report on, it’s interesting what Black Basta recommends Bankcard USA (BUSA) do in the future to help thwart similar attacks. The recommendations the hacking group provides in the back-and-forth correspondence are actually quite good since they highlight some of the issues autonomous penetration testing can easily find in many organizations’ networks. Surprisingly, the hacker group even says, “conduct full penetrations tests and audit” which is really good advice for all organizations.   

“One last thing… As of July 31st, 0900 hours EDT, it appears the security certificate for expired 2 days ago. If anyone were to override their browser protections and log into their account right now, their traffic would not be encrypted.” 

It shouldn’t take you getting pwned by hackers to figure out what you need to do to secure yourself. You should be taking proactive measures to avoid getting pwned, and spending whatever you have to to ensure you’re secure as possible. Because that’s way better than what happened here.

Leave a Reply

%d bloggers like this: