InfoGuard Cyber Security and Cyber Defence Blog

Leaked Credentials: How Black Basta attacker penetrate networks

Geschrieben von Nadine Eberle | 06 Mai 2024

Our CSIRT is currently dealing with disturbing incidents that all exhibit striking similarities – the companies affected alerted us when their antivirus software reported encryption activity. In another case, the company in question was told by the relevant Federal Criminal Police Agency (BKA) that files revealing information about the company had appeared on the dark net. CSIRT was able to intervene in time, protect the company from encryption and thus minimise the damage. This article shows how and why you need to start acting now.

Black Basta: Ransomware-as-a-Service

Black Basta  is one of the newer variants of ransomware currently haunting the Internet. The group not only attacks companies itself, but also offers its ransomware as a service to other cyber criminals. The malicious software encrypts files on an infected computer to extort a ransom in return for the decryption keys. The encryption of the entire IT infrastructure isn’t the only factor that poses a threat to companies: the exfiltration of a wide range of data is a further significant risk. Personal data such as identity documents in particular are often used as leverage for the ransom demand.

How do attackers contact their victims? Black Basta leaves a ransom note on the encrypted systems containing a link to a chat portal on the darknet, which then reveals how much the ransom demand is. This is usually based on the turnover of the company under attack. The sum demanded must be paid in cryptocurrency such as Bitcoin so as to conceal the identity of the blackmailer. Once the payment is made, the decryption software is provided, the stolen files are not made public and a promise is made to the victims that the company will not be attacked again.

To protect yourself from Black Basta and other forms of ransomware, it is important to create security awareness and abide by security best practices. These include, but are not limited to:

  • Regular security updates for operating systems and applications.
  • Caution when opening email attachments or clicking links of unknown origin.
  • Using antivirus and antimalware software.
  • Using multifactor authentication.
  • Periodically enforced change of user credentials.
  • Regular backup of important files on secure, external drives (offline backups) or in the cloud. With cloud backups in particular, it’s important that the attacker cannot access the backups from the running infrastructure.

Tactics, techniques and procedures (TTP) of Black Basta – brute force and other entry vectors

In its hunt for tactics, techniques and procedures (TTP), the origin of the system compromise (patient zero) and forensic analysis of manipulated infrastructures, the CSIRT has identified the same pathway to initial system compromise in several cases over recent weeks.

The attackers gained access to the networks through employees’ credentials. These could be found without significant problems on the darknet, as the threat intelligence team was able to confirm. Black Basta used the stolen access data, some of which had been leaked for several years, to gain access via the companies’ VPN. No additional factor was required to log on to the VPN (multifactor authentication).

Unfortunately, employees in the companies were not forced to change their passwords regularly. This resulted in the attackers gaining access to third-party infrastructure with access data that had not been updated for four years.

Focus on info stealers

How does access data, consisting of username and password, get on to the darknet so often? The answer to this question: information stealers. These are forms of malware that are usually installed along with executables originating from untrusted sources. These stealers then export usernames and passwords from browsers and password safes – and sometimes even from the computer’s memory. Some thieves also take screenshots of the infected computer and upload the contents of the leaked user’s desktop folder. Occasionally, these uploads also contain valuable and sensitive data. This data is then offered for purchase on the darknet for prices in the single-digit to low double-digit dollar range.

In addition to TTPs, brute force attacks are another commonly used method in which an attacker systematically tries out all possible combinations of usernames and passwords to gain access to a protected system. This attack can be used to hack access data for various services such as email accounts, social media, online banking and more.

A brute force attack uses a fairly simple process: the attacker uses automated scripts or tools to attempt as many combinations of usernames and passwords as possible from a predefined list or by generating random strings. Cyber criminals apply this combination to the target account one by one and expect to find the right access data.

To make it difficult to misuse access data, long and complex passwords that contain letters, numbers and special characters are recommended.

  • Implement account locking mechanisms after multiple failed login attempts to limit the number of attempts.
  • Use multi-factor authentication (MFA).
  • Monitor login activity and suspicious access attempts to detect potential attacks early.
  • Train users in the company to develop security awareness.
  • Implement password security and access control best practices to significantly reduce the risk of successful brute force attacks.

Darknet investigation on cyber threat prevention

You can spare your company this fate! InfoGuard offers companies the option of a one-time darknet investigation by the threat intelligence team and finds suitable countermeasures for prevention and attack deterrence.

Our darknet investigation looks for any access data that may have been stolen and advertised in darknet marketplaces in the context of stealers. Get advice from our cyber defence experts.

Darknet monitoring: the comprehensive early warning system for businesses

Darknet monitoring provides you with the optimal foundation for your business intelligence and proactive protection of your corporate assets. Our security analysts in the InfoGuard Cyber Defence Center identify threats to your organisation, networks, systems, applications and services at an early stage and make specific recommendations for effective countermeasures. You will also gain important insights into targeted prevention, defence and response.

  • Formulation of the specific, risk-based threat situation for your company specifically tailored to your industry.
  • Custom and systematic monitoring on the darknet, Tor networks, hacker forums, Internet, blogs, social media, IRC channels etc.
  • Targeted search for your digital tracks, documents, applications, passwords, credit cards, attack vectors, malware and cyber campaigns.
  • Analysis and evaluation of cyber threat intelligence feeds.
  • Sound cyber threat intelligence analytics with real-time alerting and escalation.
  • Periodic management reporting demonstrates your current risk situation and changes in the threat situation.

Current analyses of our CSIRT show that the developments around the Black Basta offerings on the darknet are highly disturbing. Our recommendation is therefore to take action now.

Find out more early on, so you can act promptly. We will be happy to advise you according to your individual needs.


Would you like to stay informed about the latest trends, innovations and technologies first-hand? Then subscribe to our blog updates and receive the latest articles delivered conveniently to your inbox.