InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
Our CSIRT is currently dealing with disturbing incidents that all exhibit striking similarities – the companies affected alerted us when their antivirus software reported encryption activity. In another case, the company in question was told by the relevant Federal Criminal Police Agency (BKA) that files revealing information about the company had appeared on the dark net. CSIRT was able to intervene in time, protect the company from encryption and thus minimise the damage. This article shows how and why you need to start acting now.
Black Basta is one of the newer variants of ransomware currently haunting the Internet. The group not only attacks companies itself, but also offers its ransomware as a service to other cyber criminals. The malicious software encrypts files on an infected computer to extort a ransom in return for the decryption keys. The encryption of the entire IT infrastructure isn’t the only factor that poses a threat to companies: the exfiltration of a wide range of data is a further significant risk. Personal data such as identity documents in particular are often used as leverage for the ransom demand.
How do attackers contact their victims? Black Basta leaves a ransom note on the encrypted systems containing a link to a chat portal on the darknet, which then reveals how much the ransom demand is. This is usually based on the turnover of the company under attack. The sum demanded must be paid in cryptocurrency such as Bitcoin so as to conceal the identity of the blackmailer. Once the payment is made, the decryption software is provided, the stolen files are not made public and a promise is made to the victims that the company will not be attacked again.
To protect yourself from Black Basta and other forms of ransomware, it is important to create security awareness and abide by security best practices. These include, but are not limited to:
In its hunt for tactics, techniques and procedures (TTP), the origin of the system compromise (patient zero) and forensic analysis of manipulated infrastructures, the CSIRT has identified the same pathway to initial system compromise in several cases over recent weeks.
The attackers gained access to the networks through employees’ credentials. These could be found without significant problems on the darknet, as the threat intelligence team was able to confirm. Black Basta used the stolen access data, some of which had been leaked for several years, to gain access via the companies’ VPN. No additional factor was required to log on to the VPN (multifactor authentication).
Unfortunately, employees in the companies were not forced to change their passwords regularly. This resulted in the attackers gaining access to third-party infrastructure with access data that had not been updated for four years.
How does access data, consisting of username and password, get on to the darknet so often? The answer to this question: information stealers. These are forms of malware that are usually installed along with executables originating from untrusted sources. These stealers then export usernames and passwords from browsers and password safes – and sometimes even from the computer’s memory. Some thieves also take screenshots of the infected computer and upload the contents of the leaked user’s desktop folder. Occasionally, these uploads also contain valuable and sensitive data. This data is then offered for purchase on the darknet for prices in the single-digit to low double-digit dollar range.
In addition to TTPs, brute force attacks are another commonly used method in which an attacker systematically tries out all possible combinations of usernames and passwords to gain access to a protected system. This attack can be used to hack access data for various services such as email accounts, social media, online banking and more.
A brute force attack uses a fairly simple process: the attacker uses automated scripts or tools to attempt as many combinations of usernames and passwords as possible from a predefined list or by generating random strings. Cyber criminals apply this combination to the target account one by one and expect to find the right access data.
To make it difficult to misuse access data, long and complex passwords that contain letters, numbers and special characters are recommended.
You can spare your company this fate! InfoGuard offers companies the option of a one-time darknet investigation by the threat intelligence team and finds suitable countermeasures for prevention and attack deterrence.
Our darknet investigation looks for any access data that may have been stolen and advertised in darknet marketplaces in the context of stealers. Get advice from our cyber defence experts.
Darknet monitoring provides you with the optimal foundation for your business intelligence and proactive protection of your corporate assets. Our security analysts in the InfoGuard Cyber Defence Center identify threats to your organisation, networks, systems, applications and services at an early stage and make specific recommendations for effective countermeasures. You will also gain important insights into targeted prevention, defence and response.
Current analyses of our CSIRT show that the developments around the Black Basta offerings on the darknet are highly disturbing. Our recommendation is therefore to take action now.
Find out more early on, so you can act promptly. We will be happy to advise you according to your individual needs.
Would you like to stay informed about the latest trends, innovations and technologies first-hand? Then subscribe to our blog updates and receive the latest articles delivered conveniently to your inbox.