Likely to be operated by former members of Conti and REvil, this two-month old ransomware attacks mainly English-speaking countries.

A global threat alert advisory has been released, warning global organizations about a rise in ransomware attacks from the Black Basta gang which emerged in April this year.

So far, the threat group has victimized nearly 50 companies in English speaking countries such as the United States, the United Kingdom, Australia, New Zealand and Canada. When the ransomware has penetrated a Windows system, the desktop wallpaper is changed into one with an ominous warning: “Your network is encrypted by the Black Basta group. Instructions in the readme.txt file.”

Thereafter, the malware restarts the system into ‘Safe Mode with Networking’ and before long all files in the system would have been encrypted and renamed with a ‘basta’ extension. Note that the ransomware also targets ESXi VM systems.

Black Basta is known to have partnered with QBot malware to spread laterally through corporate networks. It uses the double extortion scheme their victims, and some of their ransom demands have exceeded US$1m. Double extortion involves a combination of ransoming data as well as extorting victims to pay up or get their sensitive corporate data published online.

Cybereason, the firm that issued the threat alert, has assessed the threat level of ransomware attacks against global organizations today being SEVERE. The firm’s CEO and co-founder Lior Div said: “Since Black Basta is relatively new, not a lot is known about the group. Due to their rapid ascension and the precision of their attacks, Black Basta is likely operated by former members of the defunct Conti and REvil gangs, the two most profitable ransomware gangs in 2021.”

The firm recommends the public to follow modern cyber hygiene practices such as implementing a security awareness program for employees, ensuring regular patching of operating systems and other software, and conducting regular cybersecurity drills, among other cyber techniques.