Connect with us

Threat Actors

Spearwing / Medusa Ransomware Threat Actor Profile

Medusa is a notable ransomware-as-a-service (RaaS) variant that emerged in June 2021, utilizing a double extortion model to encrypt data and threaten public release of sensitive information. Operated by the group “Spearwing,” Medusa has shifted towards an affiliate model, significantly impacting critical sectors like healthcare and manufacturing, with over 300 reported victims by early 2025. The introduction of a dedicated leak site in 2023 and a 42% surge in attacks from 2023 to 2024 highlight its growing threat. Organizations must strengthen cybersecurity measures, including patching vulnerabilities and implementing multi-factor authentication, to counteract this persistent danger.

Published

3 days ago

on

In the rapidly changing environment of cyber threats, Medusa stands out as a particularly menacing ransomware-as-a-service (RaaS) variant that first emerged in June 2021. Employing a double extortion model, this ransomware not only encrypts its victims’ data but also threatens to publicly release sensitive information if the ransom demands are not met. This dual-layered approach has enabled Medusa to significantly escalate its operations, with its impact felt across critical sectors, including healthcare, education, and manufacturing, where over 300 victims have been reported by early 2025.

The group behind Medusa, known as “Spearwing,” has transitioned from a closed ecosystem to a broader affiliate model, leveraging initial access brokers to extend its reach and effectiveness. With the introduction of a dedicated data leak site in early 2023 and a marked increase in attacks, understanding the tactics, techniques, and implications of Medusa ransomware is crucial for organizations striving to bolster their cybersecurity defenses in the face of such persistent threats.

The following sections will delve deeper into Medusa’s operational model, extortion tactics, technical details, and strategies for mitigation.

Overview and Origins

Medusa is identified as a ransomware-as-a-service (RaaS) variant that was first observed in June 2021. It has become increasingly prolific since then. The group operates a double extortion model, where they not only encrypt victim data but also threaten to publicly release exfiltrated data if a ransom is not paid. Medusa is distinct from the older MedusaLocker ransomware variant and the unrelated Medusa mobile malware. The group is tracked by Symantec as “Spearwing“. In early 2023, Medusa launched the “Medusa Blog,” a dedicated leak site to publish data from non-paying victims.

Activity and Impact

As of February 2025, Medusa developers and affiliates had impacted over 300 victims from a variety of critical infrastructure sectors. These sectors include medical, education, legal, insurance, technology, and manufacturing. There was a 42% surge in Medusa attacks between 2023 and 2024, and this increase continued into early 2025, with almost twice as many attacks observed in January and February 2025 compared to the same period in 2024. The true number of victims is likely higher than the number listed on their data leak site. Ransom demands have ranged from $100,000 to $15 million. The impact of Medusa ransomware can be devastating, leading to operational disruptions, financial losses, and reputational damage.

Operating Model

Medusa operates as a RaaS platform. Initially a closed group, it has since expanded to use an affiliate-based ecosystem. Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to gain initial access. Potential payments between $100 USD and $1 million USD are offered to these affiliates. Important operations such as ransom negotiation are still centrally controlled by the developers. There is some question as to whether Spearwing operates as a “typical” RaaS, given the consistency of tactics used, possibly indicating the group carries out attacks themselves or works with a very limited number of affiliates and provides a detailed playbook.

Extortion Tactics

Medusa employs a double extortion model, encrypting data and threatening to publish exfiltrated data on their .onion data leak site (Medusa Blog) if the ransom is not paid. They operate a public Telegram channel (“information support”) where they also publicise hacks and release stolen data, making it more accessible than some other ransomware groups. Ransom demands are posted on the leak site with direct hyperlinks to Medusa-affiliated cryptocurrency wallets. They also advertise the sale of the data to interested parties before the countdown timer ends. Victims can pay $10,000 USD in cryptocurrency to add a day to the countdown timer. FBI investigations identified a potential triple extortion scheme where a separate Medusa actor contacted a victim after ransom payment, claiming the negotiator stole the initial payment and demanding a second payment.

Technical Details (TTPs)

  • Initial Access (TA0001):
    • Phishing campaigns (T1566) are a primary method for stealing victim credentials.
    • Exploitation of unpatched software vulnerabilities (T1190) through Common Vulnerabilities and Exposures (CVEs) such as ScreenConnect vulnerability CVE-2024-1709 and Fortinet EMS SQL injection vulnerability CVE-2023-48788. They have also exploited Microsoft Exchange Server vulnerabilities (ProxyShell, CVE-2021-34473).
    • Recruitment of initial access brokers (IABs) (TA0001).
    • Use of compromised RDP credentials (T1133).
    • Uploading webshells to exploited Microsoft Exchange Servers.
  • Execution (TA0002):
    • Use of PowerShell (T1059.001) and the Windows Command Prompt (cmd.exe) (T1059.003) for various tasks.
    • Leveraging legitimate tools like ConnectWise, PDQ Deploy, and PsExec.
    • Use of batch scripts including gaze.exe.
    • Utilising Windows Management Instrumentation (WMI) (T1047) for querying system information and deleting shadow copies.
  • Persistence (TA0003):
    • Modifying the registry (T1547.001, HKLM\Software\Microsoft\Windows\CurrentVersion\Run).
    • Creating malicious scheduled tasks (T1053).
    • Creating domain accounts (T1136.002).
  • Privilege Escalation (TA0004):
    • Abuse of Elevation Control Mechanism (T1548.002) by bypassing User Account Control (UAC).
    • Use of valid accounts (T1078) obtained through various methods.
    • LSASS memory dumping (T1003.001) using tools like Mimikatz.
  • Defense Evasion (TA0005):
    • Use of living off the land (LOTL) techniques (TA0005) to avoid detection, leveraging legitimate tools present in the victim environment.
    • Using Certutil (certutil.exe) for file ingress to avoid detection.
    • Employing various PowerShell detection evasion techniques, including base64 encryption and string obfuscation.
    • Attempting to delete PowerShell command line history (T1070.003).
    • Attempting to use vulnerable or signed drivers (Bring Your Own Vulnerable Driver – BYOVD) (T1562.001) to kill or delete endpoint detection and response (EDR) tools. Malicious drivers like ABYSSWORKER (imitating a CrowdStrike Falcon driver) are used. They also use tools like KillAV and POORTRY.
    • Using reverse tunneling tools like Ligolo and Cloudflared (formerly ArgoTunnel) for command and control and evasion.
    • Disabling Windows Defender and other antivirus services.
    • Rebooting systems into Safe Mode.
    • Deleting previously installed tools (T1070).
  • Discovery (TA0007):
    • Using legitimate tools like Advanced IP Scanner and SoftPerfect Network Scanner (NetScan) for initial user, system, and network enumeration.
    • Scanning commonly used ports (21, 22, 23, 80, 115, 443, 1433, 3050, 3128, 3306, 3389).
    • Using PowerShell and cmd.exe for network (T1046) and filesystem enumeration (T1083).
    • Utilizing Windows Management Instrumentation (WMI) (T1047) for querying system information.
    • Querying shared drives (T1135) on the local system.
    • Gathering system network configuration (T1016) and detailed system information (T1082) using commands like ipconfig /all and systeminfo.
    • Attempting to find domain-level group and permission settings (T1069.002).
    • Using driverquery, net share, net use, netstat -a, sc query, schtasks, ver, wmic for reconnaissance.
  • Lateral Movement (TA0008):
    • Using a variety of legitimate remote access software (T1219) such as AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop.
    • Utilizing Remote Desktop Protocol (RDP) (T1021.001).
    • Using PsExec (T1569.002) to move laterally and deploy the encryptor.
    • Leveraging SMB/Windows Admin Shares (T1021.002).
  • Exfiltration (TA0010):
    • Identifying files for exfiltration.
    • Installing and using Rclone (T1567.002) to facilitate data exfiltration to Medusa C2 servers.
  • Encryption (T1486):
    • Deploying the encryptor, gaze.exe, across the network using tools like PsExec, PDQ Deploy, or BigFix (T1072).
    • Terminating services (T1489) related to backups, security, databases, communication, file sharing, and websites.
    • Deleting shadow copies (T1490).
    • Encrypting files with AES-256.
    • Appending the .medusa file extension to encrypted files.
    • Dropping the ransom note, typically named !!!READ_ME_MEDUSA!!!.txt.
    • Manually turning off (T1529) and encrypting virtual machines.
    • Deleting itself after encryption.
  • Command and Control (C2):
    • Using reverse tunneling tools like Ligolo and Cloudflared.
    • Communicating using application layer protocols associated with web traffic (T1071.001), including scripts that create reverse or bind shells over port 443 (HTTPS).
    • Leveraging remote access software (T1219) for control.

Indicators of Compromise (IOCs)

  • File Paths and Names:
    • csidl_windows\adminarsenal\pdqdeployrunner\service-1\exec\gaze.exe.
    • svhost.exe (in AppData).
    • !!!READ_ME_MEDUSA!!!.txt.
    • openrdp.bat.
    • pu.exe.
  • File Extensions:
    • .medusa.
    • .mylock.
    • .s3db (observed in one Darktrace investigation).
  • Domains & URLs:
    • medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd[.]onion.
    • go-sw6-02.adventos[.]de.
    • medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd[.]onion.
  • Registry Keys:
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MDSLK.
  • Email Addresses (used for ransom negotiation):
    • key.medusa.serviceteam@protonmail.com.
    • medusa.support@onionmail.org.
    • mds.svt.breach@protonmail.com.
    • mds.svt.mir2@protonmail.com.
    • MedusaSupport@cock.li.
  • Hashes (examples): See Table 1 in source and hashes listed in. Note that some sources redact hashes.
  • Credentials (observed in a Darktrace investigation): Svc-ndscans, Svc-NinjaRMM.

Mitigation Strategies

Organisations are advised to:

  • Mitigate known vulnerabilities by ensuring operating systems, software, and firmware are patched and up to date.
  • Segment networks to limit lateral movement.
  • Filter network traffic by blocking access from unknown or untrusted origins to remote services on internal systems.
  • Implement the recommendations in the Mitigations section of the CISA advisory.
  • Enable MFA for RDP and VPNs.
  • Disable PowerShell for non-administrators.
  • Regularly back up data offline. Ensure backups are immutable.
  • Implement strong security measures, including up-to-date security solutions.
  • Use hard-to-crack unique passwords and enable multi-factor authentication.
  • Encrypt sensitive data wherever possible.
  • Reduce the attack surface by disabling unnecessary functionality.
  • Educate and inform staff about cyber threats and methods used by attackers.
  • Block known Medusa domains.
  • Detect unusual RDP access patterns and SMB enumeration.
  • Use behavioral analytics to detect mass file encryption.
  • Isolate infected systems immediately.
  • Restore from offline backups.
  • Report incidents to CISA/FBI.
  • Consider using AI-powered endpoint protection and AI-powered email protection.
  • Create and regularly test a detailed incident response plan.
  • Disable unused remote access tools or secure them with strong passwords and MFA.
  • Apply the principle of least privilege.
  • Consider disabling command-line and scripting activities and permissions to limit LotL techniques.
  • Validate security controls against the MITRE ATT&CK techniques outlined in the advisory.

Relationships and Ecosystem

The Medusa ransomware group appears to operate independently, with its own infrastructure. However, the organised cybercrime group “Frozen Spider” is believed to be a key player in the Medusa ransomware operation, collaborating with other threat actors as part of the larger cybercrime-as-a-service (CCaaS) ecosystem. In June 2023, an early Medusa attack used drivers related to those previously used in a BlackCat (aka Noberus) attack, suggesting a possible sharing of tools or affiliates, although no further evidence strongly links the two groups. Medusa heavily relies on initial access brokers (IABs) to gain access to victim networks.

Branding and Public Presence

Medusa operates a data leak site (Medusa Blog) on the dark web (.onion). They also maintain a public Telegram channel (“information support”) used to publicise victims and leak data. Additionally, they have been linked to a Facebook profile and an X (formerly Twitter) account under the brand ‘OSINT Without Borders,’ run by operators using pseudonyms ‘Robert Vroofdown’ and ‘Robert Enaber,’ along with an associated website. These public-facing properties are likely intended to exert more pressure on victims and spread awareness of the Medusa ransomware threat. The group has a “Medusa Media Team” that has even published videos showing evidence of stolen data on their blog.

Conclusion

Medusa ransomware represents a significant and evolving cyber threat targeting a wide range of critical infrastructure sectors globally. Its use of a double (and potentially triple) extortion model, reliance on affiliates and IABs, and consistent employment of both sophisticated and LOTL techniques make it a challenging adversary. Organisations must adopt a defense-in-depth strategy, continuously update their threat intelligence, and implement robust security controls to mitigate the risk posed by Medusa ransomware.

Related Topics:
Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Threat Actors

Salt Typhoon: A Deep Dive into a Persistent Cyber Espionage Threat

Salt Typhoon, a Chinese state-sponsored APT, remains a major cyber espionage threat, targeting telecoms, governments, and technology sectors. Recent activity shows exploitation of Cisco IOS XE devices, impacting organisations globally. Defend with robust cybersecurity, prioritise patching, and share threat intelligence to counter this persistent adversary.

Published

2 months ago

on

February 17, 2025

By

Salt Typhoon is a Chinese state-sponsored Advanced Persistent Threat (APT) group known for its sophisticated cyber espionage campaigns, primarily targeting the telecommunications, government, and technology sectors. The group’s operations extend beyond intelligence gathering, aiming to exert strategic pressure on adversaries by targeting critical infrastructure and key industries.

Aliases and Affiliations

Salt Typhoon operates under various aliases, including:

  • Earth Estries.
  • GhostEmperor.
  • FamousSparrow.
  • UNC2286.
  • RedMike.

The group is believed to be affiliated with China’s Ministry of State Security (MSS). Connections to other Chinese APT groups, such as DRBControl, SparklingGoblin, and the Winnti Group, have also been observed, indicating shared methodologies and a coordinated state-backed effort.

Timeline and Key Campaigns

  • 2019: Believed to be active since at least 2019, with some suggesting activity as far back as 2017.
  • March 2021: Exploited ProxyLogon vulnerabilities in Microsoft Exchange servers.
  • Late 2023: Resurfaced with network compromises involving the Demodex rootkit.
  • September 2024: Breached US Internet Service Providers (ISPs).
  • November 2024: Targeted T-Mobile, exfiltrating customer call records and metadata.
  • December 2024 – January 2025: Exploited Cisco IOS XE network devices, targeting telecommunications providers and universities globally.

Target Sectors and Geographic Focus

Salt Typhoon’s targets span various sectors:

  • Telecommunications: Wireline and wireless telephone providers, internet service companies.
  • Government: Government entities, including those involved in national security and law enforcement.
  • Technology: Companies in the information and communication technology sector.
  • Hotels: Targeting hotels to monitor the locations of key individuals.
  • Various Others: Militaries, solar energy companies, financial institutions, NGOs, international organizations, engineering firms, and law practices.

The group’s geographic focus is broad, encompassing:

  • North America: Primarily the United States.
  • Southeast Asia: Focused efforts on hotels and telecommunications companies.
  • Other Regions: Including Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the United Kingdom.

Tactics, Techniques, and Procedures (TTPs)

Salt Typhoon employs a range of sophisticated TTPs to infiltrate and maintain persistence within target environments:

  • Initial Access:
    • Exploiting public-facing applications.
    • Spearphishing attachments.
    • Exploitation of known vulnerabilities.
  • Execution:
    • Using command and scripting interpreters like PowerShell.
    • Executing malicious files, such as side-loaded DLLs.
  • Persistence:
    • Modifying the registry.
    • Creating or modifying system processes.
    • Kernel-mode malware.
  • Privilege Escalation:
    • Exploiting vulnerabilities.
    • Scheduled tasks/jobs.
  • Defense Evasion:
    • Obfuscated files or information.
    • Masquerading.
    • Indicator removal.
  • Lateral Movement:
    • Exploitation of remote services.
    • Leveraging valid credentials.
  • Credential Access:
    • Dumping credentials from password stores and web browsers.
    • Extracting credentials from files.
  • Collection:
    • Gathering data from local systems.
    • Monitoring clipboard data.
  • Command and Control:
    • Using remote access software.
    • Employing internal proxy servers.
  • Impact:
    • Data encrypted for impact (primarily for espionage, not extortion).

Toolset and Malware

Salt Typhoon utilises a diverse toolkit comprising legitimate, custom-made, and borrowed tools:

  • Custom Backdoors: SparrowDoor and Demodex.
  • Rootkits: Demodex, a Windows kernel-mode rootkit.
  • Loaders: SparrowDoor loader.
  • Remote Access Trojans (RATs): Masol RAT and SnappyBee (aka Deed RAT).
  • Exploitation Tools: Mimikat_ssp (a Mimikatz variant), Get-PassHashes.ps1, GetPwd, Token.exe.
  • Living off the Land Binaries (LOLBins): Utilising legitimate system tools to perform malicious activities.
  • GhostSpider New backdoor malware.
  • Derusbi: A DLL-based backdoor.
  • Motnug: A shellcode loader.
  • NinjaCopy: Tool to bypass security mechanisms and extract sensitive system files.

The group’s malware often incorporates anti-forensic and anti-analysis techniques to evade detection.

Vulnerabilities Exploited

Salt Typhoon has been known to exploit the following vulnerabilities:

  • CVE-2023-46805, CVE-2024-21887 (Ivanti Connect Secure VPN).
  • CVE-2023-48788 (Fortinet FortiClient EMS).
  • CVE-2022-3236 (Sophos Firewall).
  • CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 (Microsoft Exchange – ProxyLogon).
  • CVE-2023-20198 and CVE-2023-20273 (Cisco IOS XE Software).

Countermeasures and Mitigation Strategies

Defending against Salt Typhoon requires a comprehensive, multi-layered approach:

  • Robust Cybersecurity Frameworks: Implementing zero-trust architecture, continuous monitoring, and regular vulnerability assessments.
  • Patch Management: Applying security patches promptly, particularly for known vulnerabilities in Cisco devices and other network infrastructure.
  • Network Segmentation: Isolating critical systems and implementing strict access control lists (ACLs) to regulate network traffic.
  • Threat Intelligence: Sharing threat intelligence and staying informed about Salt Typhoon’s latest TTPs.
  • Incident Response: Developing and testing incident response plans to effectively contain and eradicate intrusions.
  • Out-of-Band Management: Utilising a physically separate management network to prevent unauthorised access to operational networks.
  • Secure by Design Principles: Encourage software manufacturers to embed security throughout the development lifecycle to strengthen the overall security posture of their products.
  • Encrypted Communications: Advising individuals concerned about privacy to use encrypted messaging apps and voice communications.

Attribution and Geopolitical Context

Salt Typhoon’s activities align with China’s broader geopolitical objectives, including intelligence collection, monitoring individuals, and potential disruption of adversarial capabilities. The group’s targeting of telecommunications companies enables them to intercept communications, monitor activities, and enhance their intelligence-gathering capabilities.

Conclusion

Salt Typhoon represents a significant and persistent threat to global telecommunications infrastructure and other critical sectors. The group’s advanced TTPs, diverse toolkit, and state-sponsored backing make it a formidable adversary. Organisations must adopt a proactive and multi-layered approach to security, prioritising vulnerability management, network segmentation, and threat intelligence sharing, to effectively defend against this evolving threat. Continuous vigilance and collaboration between public and private sectors are essential to mitigating the risks posed by Salt Typhoon and similar APT groups.

Continue Reading

CISO Blog

The Black Basta Menace: A Deep Dive

Published

5 months ago

on

December 2, 2024

By

This ransomware gang is a real pain in the neck. They’re relentless, sophisticated, and they’re not afraid to target anyone, from small businesses to large corporations…..you are not unlucky if they hit you they TARGET you
These cybercriminals are like digital pirates, sailing the high seas of the internet and plundering unsuspecting Spanish Galleons. They use every trick in the book, from phishing emails to exploiting vulnerabilities. And once they’re in, they wreak havoc, encrypting data and demanding a ransom.

So, what can you do to protect yourself from these cyber pirates? Well, for starters, you need to be vigilant. Don’t click on suspicious links, keep your software up-to-date, and use strong, unique passwords. And if you’re really serious about security, invest in a good cybersecurity solution.

 
Remember, the best defense is a good offense. Stay informed, stay vigilant, and most importantly, stay safe.
 
 
Want to know more? Take a look at my complete writeup of Black Basta
Black Basta Ransomware Group: A Deep Dive
Continue Reading

Threat Actors

Black Basta Ransomware Group: A Deep Dive

Published

5 months ago

on

December 1, 2024

By

1       Background

Black Basta is a Ransomware-as-a-Service (RaaS) group that first appeared in April 2022 and quickly gained notoriety for targeting various sectors, including construction, healthcare, manufacturing, finance, retail, and entertainment. Black Basta has reportedly compromised over 500 organisations worldwide. The group meticulously chooses its victims to maximise each attack’s impact.

2       Black Basta’s Tactics and Techniques

Black Basta employs a multi-stage attack that leverages a combination of sophisticated techniques and readily available tools to infiltrate, compromise, and extort its targets. The group is known for its use of double extortion, where they not only encrypt a victim’s data but also threaten to release sensitive information publicly if the ransom is not paid.

Here’s a breakdown of the typical attack chain:

2.1      Initial Access

Black Basta utilises various methods to gain a foothold in the target network:

  1. Social Engineering: Attackers commonly use phishing emails, posing as IT helpdesk personnel, to trick employees into installing remote access tools like AnyDesk or Quick Assist.
  2. Exploiting Vulnerabilities: Black Basta exploits known vulnerabilities like CVE-2024-1709 (ConnectWise) and others to gain initial access or escalate privileges within the network.
  3. Insider Information and Purchased Access: The group actively seeks insiders within target organisations or purchases network access from initial access brokers (IABs) on underground forums like Exploit and XSS12.

2.2      Lateral Movement and Credential Harvesting

Once inside, the attackers move laterally to identify and compromise critical systems:

  1. Malware Deployment: They deploy tools like QakBot, SystemBC, and Cobalt Strike beacons for credential theft, data exfiltration, and command and control (C2) operations.
  2. Credential Dumping: Tools like Mimikatz allow attackers to extract passwords from memory.
  3. Exploiting Native Windows Tools: Attackers leverage tools like PowerShell, PsExec, and WMI for executing commands and moving laterally within the compromised network.

2.3      Data Exfiltration and Encryption

Before deploying the ransomware, Black Basta prepares the target environment:

  1. Disabling Security Measures: Attackers use PowerShell scripts to disable antivirus software and endpoint detection and response (EDR) systems.
  2. Deleting Shadow Copies: They delete shadow copies using the vssadmin.exe tool to prevent system recovery.
  3. Exfiltrating Sensitive Data: Tools like RClone and WinSCP are used to transfer stolen data to attacker-controlled servers.

2.4      Encryption and Ransom Demand

The final stage involves deploying the ransomware and demanding payment:

  1. Ransomware Deployment: Black Basta’s ransomware typically uses the ChaCha20 encryption algorithm to encrypt files. Encrypted files are appended with a “.basta” extension.
  2. Ransom Note: They leave a ransom note, usually named “readme.txt,” which directs victims to a .onion site for ransom negotiations. Black Basta often sets a deadline of 10-12 days for payment before publishing the stolen data on their data leak site, Basta News.

3       Black Basta’s Evolving Sophistication

Black Basta has shown a continuous evolution in its tactics and techniques:

  1. Email Bombing and Vishing: The group has incorporated email DDoS (bombing) and vishing (voice phishing) tactics to overwhelm targets with spam emails and trick them into installing remote access tools.
  2. Microsoft Teams Exploitation: They leverage Microsoft Teams by creating accounts posing as IT support to contact victims and deceive them into granting access.
  3. Targeting Linux Systems: Black Basta has expanded its operations to target Linux-based VMware ESXi virtual machines.

4       Possible Links to Other Threat Actors

There is speculation that Black Basta may have connections to other prominent ransomware groups:

  1. Conti: Similarities in tactics, techniques, and procedures (TTPs) suggest a possible link to the now-defunct Conti group.
  2. FIN7: The use of a custom EDR evasion tool and overlapping C2 infrastructure points to a potential connection with the FIN7 (Carbanak) group3638.
  3. Impact and Mitigation

5       Potential Business Risks

Black Basta’s attacks have had significant consequences for organisations across various areas, such as:

  1. Financial Losses: Ransom payments, data recovery costs, and potential legal repercussions contribute to significant financial burdens.
  2. Reputational Damage: Data leaks and public exposure of sensitive information can damage an organisation’s reputation and erode customer trust.
  3. Operational Disruption: Attacks can disrupt critical business operations, leading to downtime and productivity loss.

6       Risk Mitigation

Organisations can mitigate the risk of Black Basta attacks by:

  1. Implementing strong cybersecurity measures: This includes multi-factor authentication, robust firewalls, regular software updates and patching, and effective antivirus and EDR solutions.
  2. Employee Training: Educating employees about phishing techniques, social engineering tactics, and best practices for handling suspicious emails is crucial.
  3. Robust Backup and Disaster Recovery Plans: Regularly backing up critical data and having a well-defined disaster recovery plan in place can help minimise the impact of an attack.
  4. Secure Remote Access: Ensuring that remote access protocols are secure and properly configured is essential to prevent unauthorised access.
  5. Proactive Threat Hunting: Using tools like Qualys EDR and implementing threat hunting queries can help detect suspicious activities related to Black Basta and other ransomware threats.

7       Indicators of Compromise  

There is a wide array of indicators that can help identify a potential or ongoing Black Basta ransomware attack. These indicators encompass network activities, file modifications, and suspicious user behaviours.

7.1      Network-Based Indicators

  1. Suspicious Domain Naming: Black Basta actors often use Microsoft Teams for social engineering. They create fake accounts with deceptive names like “Help Desk” using fraudulent Entra ID tenants1. The domain names often follow the *.onmicrosoft.com convention, with examples like cybersecurityadmin.onmicrosoft.com and supportserviceadmin.onmicrosoft.com.
  2. Command and Control (C2) Communication: Monitor network traffic for communication with known Black Basta C2 domains, many of which utilize Cobalt Strike. Examples include trailshop[.]net, realbumblebee[.]net, and numerous others.
  3. Specific IP Addresses: Although threat actors frequently change IP addresses, some recent ones associated with Black Basta activity include 170.130.165[.]73 (likely Cobalt Strike infrastructure), 66.42.118[.]54 (exfiltration server), and others.
  4. Tor Network Usage: Black Basta uses Tor hidden services for ransom negotiations and data leak sites. Increased Tor traffic might be an indicator of compromise.

7.2      File-Based Indicators

  1. File Extension Modification: Black Basta ransomware typically appends the “.basta” extension to encrypted files. However, they may also use random extensions.
  2. Ransom Note Presence: Look for ransom notes, often named “readme.txt,” on the victim’s desktop. The note provides a unique code and instructions to contact the ransomware group via a .onion URL.
  3. Unique Encryption Scheme: Black Basta utilizes a specific encryption scheme, prepending each file with a 133-byte ephemeral NIST P-521 public key, a 32-byte key XChaCha20, a 24-byte nonce, and a 20-byte HMAC, followed by null byte padding and a 12-byte campaign identifier.
  4. YARA Rules: The sources provide YARA rules that can be used to identify Black Basta ransomware files based on specific strings and file characteristics.

7.3      Behavioural Indicators

  1. Sudden Increase in Spam Emails: Black Basta may initiate an attack with email bombing to flood an employee’s inbox with spam, followed by Microsoft Teams contact under the guise of IT help desk support.
  2. Requests for Remote Access: Be wary of unsolicited requests for remote access, especially from individuals claiming to be IT support staff.
  3. Unexpected Software Installations: Observe for unusual software installations, particularly those disguised as anti-spam programs like AntispamConnectUS.exe.
  4. Disabling of Security Software: Black Basta often attempts to disable antivirus and EDR solutions before encrypting files.
  5. Deletion of Shadow Copies: Attackers use the vssadmin.exe tool to delete shadow copies to prevent system recovery.

8       Threat Hunting and Mitigation

There are several tools and techniques for hunting for Black Basta activity and mitigating its impact:

  1. Qualys EDR Hunting Queries: The sources provide hunting queries specifically designed to detect suspicious activities associated with Black Basta ransomware within the Qualys EDR environment.
  2. MITRE ATT&CK Mapping: The sources provide comprehensive mapping of Black Basta’s tactics and techniques to the MITRE ATT&CK framework, allowing security teams to understand the adversary’s behaviour and develop countermeasures.
  3. Proactive Security Measures: Implement robust security practices, including strong passwords, multi-factor authentication, regular software updates, and effective security software.
  4. Employee Awareness Training: Educate employees on phishing techniques, social engineering tactics, and best practices for secure online behaviour.

9       Conclusion

Black Basta poses a serious and evolving threat to organisations worldwide. Their use of sophisticated tactics, combined with their ability to adapt and innovate, makes them a formidable adversary. By understanding Black Basta’s methods and implementing robust security measures, organisations can reduce their risk of falling victim to their attacks.

Continue Reading

Trending

Copyright © 2017 Keller Holdings