Blog posts, webinars, and guides exploring ransomware prevention tips and platform capabilities against these attacks.

The Need to Know: Black Basta Ransomware Gang

By: Mark Sangster, Chief of Strategy, and Kevin O’Connor, Director of Threat Research

Virulent Ransomware Gang Has Ties to FIN7 State-Sponsored Group

Discovery of Ransomware Gang FIN7

I discovered a rather clever adversary targeting investment firms in New York almost ten years ago. At the time, the group used Microsoft Macros to launch a fake Windows log-in pane to harvest credentials. Once an account was compromised, the adversaries would use it to send the phishing to the next victim. From that account, they moved to the next, and so on, until they captured key accounts at 70 funds. The number might sound small, but these firms managed billions in funds, so much so that the Security Exchange Commission (SEC) was concerned about a campaign to destabilize the economy, slowly crawling back from the 2008 subprime lending market collapse. The Russian-affiliated group was eventually labeled FIN7.

Black Basta Ransomware Gang Emerges

Fast forward to the present, and FIN7 crosses my desk. Yahoo! Finance asked me to comment on several ransomware attacks on food services and a grocery chain. It turns out the culprit, another Russian gang, Black Basta, had left its ransomware mark on over 50 victims since April of this year. According to SentinelOne research, there are trademark FIN7 (also called Carbanak) tactics and tools, including evasion tools and backdoor malware.

While FIN7’s original focus was financial data and institutions, a shift to a broader market, associations and the food industry is no surprise. Destabilizing food supply or heat utilities in the winter tend to create social angst and lead to eroded faith in the government to protect its citizens. While groups like Black Basta are primarily driven by financial gain, ideological impact as a byproduct is a free benefit.

A Political Big Brother: Russia

Given the hostilities in Ukraine, Russian retaliation against western countries providing support to Ukraine was deemed fair game for cybercriminals (like they were ever offside). Many of these groups (like Black Basta) either operate with impunity in Russia or some level of collusion or coordination with Russian agents.

FIN7 and Black Basta share more than ideology; a political big brother to protect them and target organizations. FIN7 technology brought nation-state capabilities to smaller ransomware gangs before ransomware-as-a-service with a thing (RaaS). They set the benchmark for researching their targets and using tactics that emulate insiders or actors that appear to be “in the know” of confidential information.

Ransomware Tactics Used

Ransomware gangs, like Black Basta, leveraged multi-extortion techniques (not unique), with enviable defense evasion and late manifesting symptoms that hide their presence until the ransomware detonation. They also rely on commodity malware like living off-the-land exploitation techniques, including the ever-growing popularity of Quakbot, PowerShell, WMI, netcat (used for lateral tunneling), mimikatz, CobaltStrike, and Coroxy. They’re also known for using the PrintNightmare vulnerability (CVE-2021-34527) for lateral movement, which can run on Linux against VMWare hypervisors to encrypt multiple hypervisor-hosted systems.

While sophisticated, they still rely on unpatched vulnerabilities, broad administrative access, and unguarded entry points. Consider Black Basta master chefs who can make delicious meals with reliable ingredients. Similarly, their encryption algorithm, ChaCha20, uses a robust RSA-4096 key but requires administrative privilege to execute.

Now What? CIS Controls to Implement

It’s a good news / bad news story. The bad news is that one of the most sophisticated ransomware gangs is back on the prowl. The good news is that they are mortal and can be stopped. They still use conventional tactics to infiltrate their targets: open vulnerabilities, unencrypted remote access points, exposed credentials, and over-provisioning administrative privilege. All of these tactics are detectable. Unfortunately, your insurance firm’s paneled incident response firm usually finds them as part of your claim.

The Center for Internet Security (CIS) is an excellent place for organizations to build a strong cybersecurity posture. CIS provides 18 controls for organizations of all sizes to safeguard data and mitigate cyber-attacks or ransomware attacks against their networks and systems. Here are just a few to get started with:

CIS Security Controls

  • CIS Control 7: Continuous Vulnerability Management (CVM)
    • CVM covers one of the 18 controls by closing the gaps between significantly reducing risk and security assessments. Managing vulnerabilities and understanding is a continuous activity requiring the focus of resources, time, and attention. CVM assesses and tracks vulnerabilities on all enterprise assets within the infrastructure. It minimizes and remediates the window of opportunity for cybercriminals.
  • CIS Control 8: Audit Log Management
    • Audit log management is the process of recording any activity used across an organization within the software systems. Audit logs document any occurrence of an event, the impacted entity, when it occurred, and who is responsible. In addition, compliance regulations require logs to be kept for a certain amount of time. Ensuring organizations collect, review, retain, and alert audit logs of events helps recover from an attack quicker.
  • CIS Control 14: Proactive Security Awareness
    • Employees are every organization’s first line of defense. It is critical to arm them with the proper knowledge and skills to properly identify and report any suspicious activity. A Proactive Security Awareness Program empowers employees with the needed expertise. Security software can only defend for so long until someone clicks a malicious link- take the proactive approach.
  • CIS Control 18: Penetration Testing
    • A penetration test or ‘ethical hacking’ evaluates the security of a system by attempting to breach accessibility, integrity, or confidentiality. A test provides real-world penetration scenarios covering industry-specific threat assessments offering actionable recommendations and rapid results.

The Adlumin Advantage

As co-founder and CEO of Adlumin, Robert Johnston is fond of saying even the biggest hacks had common factors and tactics. While companies were spending millions in the wake of massive data breaches, for a fraction of that cost, they could stop these common criminal chokepoints.

The Adlumin Security Operations Platform is designed to detect sophisticated tactics used by state-sponsored actors and provide simple response capabilities to disable compromised accounts, deactivate remote access services when suspicious activity is present, and identify event manipulation like creating unreconciled users or promoting account privileges. With Adlumin, you can stop these attacks early in the life cycle and prevent them from disrupting your business.

Are your Security Defenses Ready?

For more information, contact one of our cybersecurity experts for a demo to get started.

Human Error Continues to Drive Numbers on Cybersecurity Attacks

Checking the box for your organization’s cybersecurity training annually doesn’t quite cut it anymore. Cyberattacks are rising yearly, and one of the top reasons is human error. Taft dives into the best approach to managing privacy and cybersecurity and how to create a more innovative, more attentive security culture.  

You might think your run-of-the-mill privacy and cybersecurity training is sufficient. You might think that by “checking the box” on generic training you have fulfilled your duty and obligation to mitigate data privacy and cybersecurity attacks. You might think that general malware protection adequately secures your company’s data and you can move on with your everyday business efforts without concern. Think again. Human error continues to be the number one driver of data breaches. Over 85% of all data breaches are caused by an employee mistake. (SourcePsychology of Human Error by Stanford University Professor Jeff Hancock and Tessian, a cybersecurity firm.) “Human error” can take many forms from the use of stolen credentials and misuse of company information to phishing or malware links. Cybercriminals and hackers have developed advanced and creative tactics in efforts to access and steal confidential information. Malware attacks, for example, are attacks where hackers attempt to infiltrate networks, individual computers, and mobile devices with malicious software. An unassuming click to open a link or download software is all it takes to enable a malware attack. Social engineering tactics are often used to get employees to send bank account information, provide usernames and passwords, among other confidential information. Psychological manipulation is the bread and butter of social engineering. Such efforts intentionally target human interactions by tricking persons into thinking they are receiving an email from a trusted source, perhaps a friend or a business partner. Email content may consist of an urgent request, portray legitimate branding to make the email appear trustworthy, request your “verification” of information, or pose as a boss or coworker. Employees need to be trained and continuously reminded to be mindful when conducting business. Technology can only take us so far in protecting businesses and securing information from cybersecurity attacks, especially with respect to social engineering. In the hustle and bustle of everyday business, it is easy to flit from email to email, shooting off quick responses without even glancing at the subject line, or the name or email address of the sender. Some of the simplest requests from a seemingly innocuous email can lead to the leak of very valuable information. Do you recognize the sender’s email address? Are there spelling mistakes in the content of the email? Is the company or individual name familiar to you? Cybersecurity attacks can be incredibly costly, causing financial, mental, and emotional heartache from the click of a button. Aside from financial ramifications, data breaches and cybersecurity attacks may reflect negatively on your business’s reputation, cause you to lose clients or customers, and may even lead to significant litigation proceedings and hefty government fines from breach of regulatory violations. The best approach in managing privacy and cybersecurity training is a proactive one. A primary goal should be to create a smarter, more attentive security culture within your business.

Read the full article here.

Adlumin Inc. is a patented, managed security services platform built for corporate organizations that demand innovative cybersecurity solutions and easy-to-use, comprehensive reporting tools.