Cybereason, the XDR company, has issued a global threat alert advisory warning global organisations about a rise in ransomware attacks from the Black Basta gang. The Black Basta gang emerged in April 2022 and has victimised nearly 50 companies in the US, UK, Australia, New Zealand and Canada. Organisations in English speaking countries appear to be targets. Cybereason assesses the threat level of ransomware attacks against global organisations today being HIGHLY SEVERE.
“Since Black Basta is relatively new, not a lot is known about the group. Due to its rapid ascension and the precision of its attacks, Black Basta is likely operated by former members of the defunct Conti and REvil gangs, the two most profitable ransomware gangs in 2021,” said Lior Div, Cybereason CEO and Co-founder.
Black Basta has been using the double extortion scheme on its victims and some of its ransom demands have exceeded US$1 million. Double extortion works when attackers penetrate a victim’s network, steal sensitive information by moving laterally through organisations and threaten to publish the stolen data unless the ransom demand is paid.
Ransomware attacks can be stopped and Cybereason offers these recommendations to organisations to reduce their risks:
- Practicing good security hygiene like implementing a security awareness programme for employees, assuring operating systems and other software are regularly updated and patched.
- Assuring key players can be reached at any time of day as critical response actions can be delayed during holidays and when attacks occur during off hours and on weekends and holidays.
- Conducting periodic table-top exercises and drills and including those beyond the security team like Legal, Human Resources, IT Support and all the way up to the Executive Suite is also key to running a smooth incident response.
- Ensuring clear isolation practices are in place to stop any further ingress on the network or spreading of the ransomware to other devices. Teams should be proficient at things like disconnecting a host, locking down a compromised account and blocking a malicious domain, etc. Testing these procedures with scheduled or unscheduled drills at least every quarter is recommended.
- Evaluating lockdown of critical accounts when possible. The path attackers often take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. Teams should create highly secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack.
- Deploying EDR on all endpoints. The quickest remedy to the ransomware scourge for public and private sector businesses is deploying EDR on endpoints according to Gartner’s Peter Firstbrook. Yet Firstbrook says that only 40% of endpoints have EDR.