The infamous ransomware operator Black Basta announced another high-profile operation against US-based Black Diamond Capital Management. The targeted company specializes in financial structuring for individuals, institutions, private funds, and trusts.
Despite the ransomware organization being active for over 2 years already, little is known about its structure and members. What we do know is that Black Basta advertises itself as a RaaS (Ransomware-as-a-Service).
This partly explains the gang’s elusiveness and resilience. Relying on affiliates to conduct business allows the hackers extended reach, minimal exposure, and increased profits with little effort. But how does the gang actually operate?
Black Basta is fairly straightforward and uses the common double-extortion routine to force the victims’ hands. This tactic involves encrypting the victim’s files and extracting data for blackmail. The victim needs to pay for both the decryptor and the data deletion.
This isn’t an innovative MO, as most ransomware gangs use the same tactics. What makes Black Basta different is the gang’s ability to infiltrate their targets stealthily. More importantly, they shield their presence for a long time, making them very difficult to detect.
At a surface level, Black Basta appears no different than any other ransomware gang, but there’s a twist. The twist comes in the form of FIN7. In short, FIN7 is a Russian state-sponsored cybercriminal group responsible for a series of high-profile operations.
The then-unknown organization targeted multiple investment firms in New York in 2015. The group managed to silently secure key accounts at over 70 funds which together managed billions.
As Wikipedia puts it, FIN7 ranks as one of the most successful cybercriminal organizations in the world. Not only that, but the group also has important ties to notable ransomware gangs, including ALPHV and GOLD NIAGARA. And, of course, Black Basta.
Experts have identified key similarities in tactics between Black Basta and FIN7, including the use of specific evasion tools and backdoor malware. The connection between the 2 isn’t unheard of.
State actors often rely on various cybercriminal gangs, especially RaaS entities, to disseminate propaganda, steal data, and extort their targets. This comes with several advantages, such as maximizing the effects with minimal investment and gaining plausible deniability.
To be noted, this theory hasn’t been confirmed, but the correlations are fairly strong. If true, this would mean that Black Basta is funded by the Russian state itself. This would explain its influence, advanced tactics, and overall reach and elusiveness.
This being said, Black Basta isn’t perfect, as Security Search Labs exploited a vulnerability in the gang’s encryption algorithm. This allowed them to create the Black Basta Buster decryptor, allowing numerous victims to decrypt their files for free.
We believe security online security matters and its our mission to make it a safer place.