BlackBasta Ransomware Brand Picks Up Where Conti Left Off

The Russian-language ransomware scene isn't all that big. And despite an array of monikers for individual operations, new analysis shows these groups' members are working in close coordination, sharing tactics, botnets, and malware among one another, as well as with the Russian state. And now, a new power player ransomware group brand has emerged — BlackBasta.

Since the spectacular law enforcement takedown of Conti's operations in 2022, the Russian-language ransomware landscape has been a bit in flux. Upending usual business operations further was the subsequent August 2023 takedown of Qakbot botnets, long relied upon by these groups to deliver their ransomware. The law enforcement action, called "Operation Duck Hunt," removed Qakbot malware from more than 700,000 infected machines. The Qakbot botnet takedown success would be short lived. Analysts started to see the it pop back up in cyberattacks just a couple of months later.

Even so, by January, BlackBasta has already pivoted and was observed using a competing botnet tool called Pikabot, along with an emerging new threat group, Water Curupira, which similarly used Pikabot to drop BlackBasta ransomware.

From there BlackBasta diversified into phishing, vishing, and social engineering, as well as buying entry into target networks from initial access brokers. But by last August, the ransomware group was using its own custom-developed malware, Cogscan, used to map victim networks and sniff out the most valuable data, as well as a .NET-based utility called Knotrock, used to execute ransomware.

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

Are Law Enforcement Takedowns Against Ransomware Working?

In a new report, RedSense cybersecurity analyst Yelisey Bohuslavskiy has provided a detailed look at the evolution of BlackBasta tactics, concluding that the group's requirement to adapt in the wake of large-scale law enforcement has made it a leader in the Russian-language ransomware space. In fact, Bohuslavskiy worries that the group is in a position to become an important partner of the Russian state. In the report, he used the example of the punishing rounds of cyberattacks against the healthcare sector this year and a potential bleak peek at what's to come.

"Considering the abnormality of 2024 high-profile attacks against healthcare, I am concerned about the potential liaison between BlackBasta and [Russian nation-state threat actor] Nobelium [Midnight Blizzard] and the Russian security apparatus in general," Bohuslavskiy tells Dark Reading. "While at this point, the connection is mostly MS Teams exploitation and some other TTPs and can not be confirmed, if in the future Russian ransomware groups will develop direct cooperation with the Russian state, this will result in tangible deterioration of the threat landscape."

Related:Leaky Cybersecurity Holes Put Water Systems at Risk

He predicts that BlackBasta and the hackers in its orbit will get increasingly sophisticated in their attacks in the months to come, namely social engineering attempts at compromising credentials.

"I would advise preparing for defending different social engineering against endpoints with a focus on credentials," Bohuslavskiy adds. "Cisco, Fortinet, and Citrix credentials are definitely the main focus of BlackBasta now. I would also look at GitHub repositories and other open repositories that an enterprise may have, as we are seeing these actors hunting for them."

This is good news for cyber defenders. Social engineering is a much less efficient way to disseminate ransomware versus a botnet blast, Bohuslavskiy adds.

"To my opinion, the most important thing is that law enforcement action is working," he says. "The transition shows a slow but steady movement from botnets to social engineering, even for traditionalists like BlackBasta. And by all means, social engineering is inferior to botnets in dissemination."

Related:Going Beyond Secure by Demand

Bohuslavskiy points to the Conti group's foray into a massive experiment with call centers filled with people conducting social engineering cyberattacks, adding that it turned out to be a flop.

"Trickbot, Emotet, and Qbot were the ultimate sources of ransomware delivery for the entirety of the Russian-speaking domain, and by now, all of them are down due to law enforcement action," he says. "No substitute has come since. However, we should be aware that the leadership of the groups also understands this, and therefore, they will try to double down on developing new botnets. This is why I predict that BlackBasta's plays with social engineering will be short-lived."

Russian-Language Ransomware Coordination

Expert ransomware negotiator Ed Dubrovsky, COO and partner at Cypfer, isn't sure it's that simple. In his experience, he explains, these Russian RaaS operations are highly decentralized groups of individual hackers with a complex organizational structure. Assigning cooperation between groups and the Russian state implies a level of operational coordination he hasn't seen.

When one group is taken down by law enforcement, individual talent easily flows to another brand, in his view.

"We tend to bunch them up together into a named group like BlackBasta, which is nothing more than an umbrella structure offering software and infrastructure solutions and some adjacent services," Dubrovsky says. "They are completely dependent on the affiliates, aka franchisees, to actually conduct attacks. So to claim that there is cooperation between nation-state actors and a ransomware 'brand' or 'franchise' is almost equivalent to saying McDonald's is working with state actors because they have a McDonald's in Russia."

He suggests it's more likely individuals shuffling around ransomware trade secrets driven purely by return on investment rather than commitment to any specific group or specific fear of law enforcement.

It's also important to note that "Russian-speaking" doesn't necessarily mean "Russian threat actors" when it comes to the hackers circulating around these RaaS operations, Ngoc Bui, cyber expert with Menlo Security says.

"Many Dark Web forums and illicit communities predominantly use the Russian language, but this doesn’t necessarily mean all participants are Russian," she explains. "This distinction is critical when interpreting predictions about increased coordination."

She adds there is a "golden rule" among these adversaries.

"As long as operations don’t target Russia or its allies, they are often overlooked," she says. "This tolerance can make Russia an appealing environment for cybercriminals to operate, whether or not direct state coordination is involved."

Beyond assigning specific tactics to various brands, Dubrovsky urges cybersecurity teams to focus on protecting their systems from increasingly well-funded and well-trained Russian-speaking ransomware adversaries. The entire threat landscape has been exploding since 2013, and he views its "further deterioration" predicted by Bohuslavskiy as an obvious given.

"Could we say that this will accelerate even more due to the resources available to [threat actors] and certainly nation-states? Absolutely," Dubrovsky adds. "Would/could it be directly correlated because of observed TTPs? Not sure this will ever be conclusive. The real question is how do we defend against threat actors with increasing resources and capabilities to cause more impact."