American author Mark Twain famously said, “History doesn’t repeat itself, but it often rhymes.” As cybersecurity researchers scramble to analyze a rash of attacks from a rising threat group called Black Basta, they may feel a similar sentiment. The attacks aren’t exactly what we’ve seen before, but they look strikingly familiar. Similarity in payment sites, leak sites, and the observable mannerisms of its members have some analysts wondering if this group is a Conti rebrand.
Conti, the ransomware-as-a-service (RaaS) used in hundreds of successful attacks last year, has an interesting backstory. Facing strong backlash for its breach of Ireland’s public healthcare system last May, the group publicly released a decryptor key. However, it warned that stolen data would still be published or sold if the ransom was not paid. In February 2022, the ransomware group was hacked for supporting the Russian invasion of Ukraine. Cyber activists stole and publicized roughly 60,000 internal messages from Conti, leading the RaaS group to quickly shutter its command and control (C2) infrastructure.
A short time later, in April 2022, Black Basta stormed onto the ransomware scene, quickly breaching a dozen companies worldwide. The group has not engaged in any high-profile marketing or recruitment efforts, but its rapid successes leave little doubt that members are experienced threat actors. The swift closure of Conti, followed by near-immediate emergence of Black Basta, which uses similar tactics, fuels speculation that the two groups are the same – or at least closely related.
Brief Anatomy of a Black Basta Attack
While Black Basta attacks are relatively new, some information on their methods has been made public. The data encryptor used by Black Basta requires admin privileges to execute. To launch the encryption executable, the malware hijacks a legitimate Windows® service. It then changes the desktop wallpaper to display a ransom note. Files on the target system are encrypted using the ChaCha20 algorithm. The key required to decrypt the files is then encrypted with RSA-4096.
When files are encrypted, they are appended with a .basta suffix. The Windows registry is also edited to give them a custom icon. Instructions for contacting the group and a link for paying ransom are contained in a readme.txt file, which is dropped in each folder on the infected device. The ransom link opens a web chat (over TOR) where victims can negotiate with the threat actors – something the FBI highly advises against. This chat window may be where researchers observed the threat actors “speaking and acting” in ways similar to the Conti group.
Conti Down but Not Out?
One curious detail casting doubt on the connection between the two threat groups is the fact that Conti is still alive and kicking. Recent Internet posts from a Conti member say the leak of their communications had little impact, and new operations are underway. This claim is supported by the number of new victims now posted on the group’s website. The current average of successful attacks is significantly higher than it was in 2021. Some researchers have linked Conti’s victims to previously successful Emotet campaigns, and speculate the group uses data stolen by the malware when selecting targets.
AI Stops Threats, Regardless of Name
Chasing various threat actors around the globe and doing detective work with digital forensics is a game few organizations have the resources to play effectively. The identity of a threat group, or the malware they deploy, holds little interest for organizations that simply want to conduct their business securely.
So, whether it’s Conti or Black Basta – or if they are indeed one and the same – or another threat actor entirely that is threatening your organization, you need effective prevention in place, ideally in the form of an endpoint protection platform (EPP) equipped with advanced artificial intelligence (AI).
If you’re battling this malware or a similar threat, you’ve come to the right place – regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
We have a global consulting team standing by to assist you, providing around-the-clock support where required, as well as local assistance. Please contact us here.