Black Basta, a new ransomware operation that has attacked at least a dozen firms, has some experts suspecting a link to the infamous Conti gang. Although the existence of Black Basta was discovered in mid-April, MalwareHunterTeam researchers discovered a sample that appeared to have been compiled in February.
The hackers at the back of Black Basta encrypt data on infected systems using malware, then append the .basta suffix to the encrypted files. Furthermore, they, like many other ransomware gangs, take massive amounts of data from victims in order to maximize their chances of receiving payment.
Minerva, a cybersecurity organization, did a technical investigation of the Black Basta ransomware and discovered that it required administrator credentials to operate. According to the company’s researchers, the malware manipulates the Windows Fax service for endurance on infected PCs.
On its website, the Black Basta organization has named about a dozen firms as victims who refuse to pay up. The American Dental Association is among the victims, as is Deutsche Windtechnik, a German wind turbine manufacturer that just admitted the breach but said its wind turbines were never at risk. More than 100 GB of data purportedly taken from Deutsche Windtechnik has been exposed by the hackers.
According to MalwareHunterTeam, the ” Black Basta ransomware gang must have something to do with Conti.” This assertion is based on parallels between their leak sites, payment sites, and the manner in which their “support” workers speak and act. Other experts believe that the Conti procedure has some similarities.
MalwareHunterTeam believes the “Black Basta ransomware gang must have something to do with Conti.” This assumption is based on similarities between their leak sites, their payment sites, and the way their “support” employees talk and behave. Other researchers agree that there are similarities to the Conti operation.
In the meantime, the Conti group continues announcing new targets, including government organizations in Peru and Costa Rica.
In fact, Conti ransomware activity has surged in the past weeks, despite the cybercriminals’ operations being exposed by a pro-Ukraine hacktivist.
The hacktivist used a Twitter account named “ContiLeaks” to make available chat logs, credentials, email addresses, C&C server details and even source code from the Conti operations. The leaks came in response to the Conti group expressing its support for the Russian government in its invasion of Ukraine.
While some believed the leaks could hurt Conti operations, Secureworks reported recently that the number of new victims added to Conti’s website in March 2022 exceeded 70, significantly more than the average of 43 victims per month seen in 2021.
