Black Basta Decryptor Available to Public

Being late for 2 days, SRLabs made an amazing New Year gift to quite a few companies attacked by Black Basta ransomware. On January 2, 2024, analysts published the utility called Black Basta Buster on their GitHub, with the explanation of how this works. However, the limitations are here as well: the decryption is not guaranteed; not all files can be decrypted; not all versions of the ransomware are supported.

So, to the details. As SRLabs says in the description to the utility, the key thing it bears on is the error in XOR key advancement. That leads to the use of the same 64-bit key to the entirety of a file. By analyzing the file, particularly the sections filled with zeros, it is possible to recover the key and then use it to decrypt the file. The procedure should be repeated for every file.

Though, as I mentioned, the decryption has its limitations and “recommended circumstances”. The said key advancement error does not happen in the first 5000 bytes of the encrypted file, meaning that files that are smaller than that are off the grid for the tool. Devs additionally note that the peak efficiency is reached when working with files on a virtual machine disk. Due to the specific way the ransomware operates, VM files are much more likely to be ciphered with the aforementioned bug.

Another limitation is the attack date. Black Basta reportedly used the flawed encryptor from November 2022 up until December 2023. Most likely, the gang will fix the issue and the decryptor will not work for further attacks.

Is that the end for Black Basta?

Most likely, it is not. The infamous gang that emerged in spring 2022 is rumored to be the ancestor of Conti ransomware, an infamous threat actor that ceased its activity a month before the Black Basta appearance. Therefore, its hackers are experienced enough to find and fix the flaw in the matter of days. The amount of ransoms paid since November 2022 make it completely OK for them to lose some of the potential revenue.

There were quite a few cases when researchers elaborated a decryptor for a currently running ransomware family. Lockbit is among the most famous ones, though there were also tools for Akira and BlackByte ransomware. As 2 out of 3 are still running, it is obvious that such a situation is nothing but a minor inconvenience.

How to protect against ransomware attacks?

Ransomware has become a major threat for both home users and corporations over the last 7 years. Moreover, the evolution of its practices and tactics makes creating comprehensive protection a long and problematic process. However, there are several tips that will make the possibility of a ransomware attack much lower.

Be careful with email messages. Email spam is a primary spreading vector for a lot of malware types, not only ransomware. By reviewing the sender and the attached file/link, you can avoid getting infected.

Install the latest software and firmware updates. Vulnerability exploitation is hackers’ bread and butter when it comes to lateral movement and payload deployment. The majority of exploitation happens after the vulnerability becomes public and gets patched – so do not hesitate to update the programs you use.

Avoid using cracked software. Cracks are an ideal breeding ground for different malware due to the mandatory interference to the program’s code. This spreading approach exists for several decades, and plagues both home users and workstations.

Employ using a reliable anti-malware software. By having anti-malware software you ensure that malware will not slip through the method you are not aware of. A well-designed security solution will detect and remove even the newest malware with heuristic and AI detection systems. GridinSoft Anti-Malware is a program that offers such functionality – give it a try.

The post Black Basta Ransomware Free Decryptor Available appeared first on Gridinsoft Blog.

What is Capita?

Capita is a company for business processes outsourcing. Back office management, financial, treasury and management advisory, property and infrastructure management – that all to it. Being the biggest company of its sector in the UK, it has clients from all over the world, including large companies and even governments. According to their latest reports, the company has over £6.5 billion in contracts with governmental organisations. Despite such bright success, the company had its own story of failures – minor, but remembering ones. And it seems that we witness another case where its name will be mangled with an extra “r” letter.

Capita Hacked, Gigabytes of Data Leaked

In early April 2023, Capita’s executives claimed the “minor security incident”. Later, they disclosed that this “minor incident” involved ransomware deployment. The exact gang disclosed the successful attack by adding Capita to their list on their Darknet website. However, the company was in no haste to name the intruder and enumerate the consequences. Until April 20, when another official notification was released, the company was rejecting any claims on data leaks. However, it still states only about a minor leak – contrary to what can be found in the data samples published by hackers.

This, however, contradicts the other evidence of the attack. Black Basta is not a “hit-and-run” gang; aside from ciphering, they commonly steal a certain amount of data. On average, this gang grabs around 500GB of data from each of its victims. Then, following double extortion methods, they ask for an additional ransom to delete the leaked information. If it is not paid, the gang releases the stolen, making it accessible to everyone. Other crooks sell the data on the Darknet – i.e. receiving their profit despite the company’s ignorance.

As you could have seen in the screenshot above, the company rejects experiencing any problems. This, however, contradicts the webinar cancellations and rescheduling for later. In recent interviews with BBC, the company’s officials again stated that no data leaks happened. Meanwhile, they confirm the breach and name the approximate date of its beginning – March 22, 2023.

Capita Breach Lasted for Weeks

Several independent investigations confirmed that hackers were inside the network weeks before the incident was uncovered. Analysts found evidence of usage of a specific sample of QakBot – QBot BB20 – for initial access. This dropper trojan is a pretty common guest when it comes to attacks aimed at corporations. After getting into the network, hackers were not enrolling their main payload for the next 11 days. Most probably, this gap was used to infect as many computers as possible.

Considering the term it took to spread payloads, and the overall duration of the “incident”, claims of “limited data exfiltration from the small proportion of affected server estate” look unconvincing. Currently, Black Basta hid the Capita from its board, yet it can be accessed through a direct link. Considering changes in official meetings schedule, the problem touches not only internal documents but also a number of ones related to investments and public relations. It is hard to predict the reaction of the company’s contractors when the entire impact will be uncovered – but that will not be pleasant for both parties.

What is Black Basta ransomware group?

Black Basta group is a novice ransomware gang, which appeared in April 2022. Some evidence points to this gang being a re-branding of a ceased Conti group. Key one is the fact that several ex-Conti members continued their careers in cybercrime together with that group. Other members seem to be experienced hackers as well. Overly strong design or their software and used techniques clearly say that being attacked by Black Basta is no joke. Some analysts say it is related to the FIN7 (Carbanak) threat actor.

Over time, they developed a specific pattern of attack. First, they deploy the QakBot trojan using email spam. Crooks use a specific sample, coined BB20, controlled by themselves. Further, this malware connects to the command server and pulls the second-stage payload – Cobalt Strike Beacon. Advanced capabilities of the beacon allow hackers to perform lateral movement even before deploying the final payload. The final stage is, obviously, dropping ransomware on all the infected systems.

The post Capita Hacked, Black Basta Gang Publishes Data appeared first on Gridinsoft Blog.

This year, for example, a well-known group of ransomware called Conti broke up, but its members only moved forward, forming new gangs. Which groups should we beware of in 2023? We will consider some of the most important players.

LockBit

LockBit has been in existence since 2019 and operates under the RaaS model. According to GuidePoint Security, the largest group, which accounts for more than 4 out of 10 victims of ransomware programs. This group is believed to be linked to Russia, however, its creators deny any ties and claim their multi-nationality. LockBit 3.0 update was released in June and has already spread to 41 countries, according to Intel 471. The main goals are professional services, consulting and production, consumer and industrial goods, and real estate. LockBit also launched its Bug Bounty program, offering up to $1 million. This reward is offered for detecting vulnerabilities in their malware, leak sites, Tor network, or messaging service.

Black Basta

The Black Basta group first appeared this spring and, in the first two weeks, attacked at least 20 companies. The gang is supposed to consist of former members of Conti and REvil. Black Basta is campaigning using the malware QakBot, and a bank trojan used to steal victims’ financial data, including browser information, keystrokes, and credentials.

This ransomware is believed to have hit about 50 organizations in the United States over the last quarter, including the American Dental Association (ADA) and the Canadian food retailer Sobeys. More than half of the group’s targets were from the United States.

Hive

Hive, the third-most active group of ransomware this year, focuses on the industrial sector and health, energy, and agriculture organizations. According to the FBI, the hackers attacked 1,300 companies worldwide, especially in the health sector, and received about $100 million in ransom. It was reported that the United States Department of Homeland Security was responsible for the attack.

In recent weeks, the group claimed responsibility for the attack on India’s energy company Tata Power, by posting the company’s data online and at several colleges in the United States. Experts believe Hive cooperates with other ransomware groups and has its own customer support and sales departments. In addition, the group also engages in triple extortion.

ALPHV/BlackCat

ALPHV/BlackCat is one of the most complex and flexible families of extortion software based on the Rust programming language, which has existed for about a year. The band is believed to be composed of former REvil gang members and is associated with BlackMatter (DarkSide). The group also runs a RaaS model, exploiting known vulnerabilities or unprotected credentials and then launching DDoS attacks to force the victim to pay the ransom. Additionally, BlackCat hackers disclose stolen data through their own search system.

The group’s objectives are to provide critical infrastructure, including airports, fuel pipeline operators and refineries, and the United States Department of Defense. Ransom claims amount to millions; even when the victim pays, the group does not always provide the promised decryption tools.

BianLian

A relatively new player who targets organizations in Australia, North America, and the UK. The group quickly launches new Management and Control Servers (C&C) into the network, indicating that hackers plan to increase activity significantly.

Like many other ransomware programs, BianLian is based on Go, which gives it high flexibility and cross-platform. However, according to Redacted, the group comprises relatively inexperienced cybercriminals who must be equipped with the practical business aspects of extortion programs and related logistics. In addition, the group’s wide range of victims indicates that it is motivated by money rather than political

ideas.

Other New Groups

The world of ransomware is constantly changing, and several groups have been renamed: DarkSide is now called BlackMatter, DoppelPaymer has become Grief, and Rook has been renamed to Pandora. In addition, over the past year, new groups have appeared – Mindware, Cheers, RansomHouse, and DarkAngels. We will probably hear about them next year.

How to protect yourself

Your defenses should include safeguards for each of those phases:

1. Reduce the attack surface by making internal apps inaccessible to the Internet and decreasing the number of vulnerable elements.
2. Prevent compromise by employing a cloud-native proxy architecture that inspects all traffic inline and at scale, enforcing consistent security policies.
3. Prevent lateral movement by connecting users directly to applications rather than the network. This would reduce the attack surface and contain threats using deception and workload segregation.
4. Prevent data loss by inspecting all Internet-bound traffic, including encrypted channels, to prevent data theft.

The post Top famous Ransomware hack groups in 2022 appeared first on Gridinsoft Blog.

Conti, a notorious Russian ransomware gang responsible for the attack on Irish medical institutions last year, is believed to be disbanded after the internal correspondence of the gang members got into the possession of journalists. Later on (in March,) the source code of the ransomware used by the group also got leaked. Conti, originating in Russia, previously declared its support of the Russian government regarding the invasion of Ukraine. The group’s Jabber-servers were hacked, and chats were published after that. Later, two websites used by the group to communicate with victims and leak data ceased working.

However, specialists don’t expect the group to disappear. Many former Conti members founded new groups or joined the existing ones even before the gang stopped working. The known ransomware crews where Conti gangsters found their places include BlackCat, Hive, AvosLocker, HelloKitty, Quantum, and others. There are also non-encoding extortion businesses founded by other Conty participants: Karakurt, BlackByte, and Bazarcall Collective. Thus, only brand is gone, but the malefactors will hardly change their ways.

Statistics

May showed an 18% decrease in ransomware activity compared to April. As before, the most attacked sectors were the industrial sector, consumer cyclicals, and technology (31%, 22%, and 10% of attacks, respectively.) Lockbit 2.0 remained the most raging ransomware actor in May, with not less than 95 victims on its account (40% of cases.) The mentioned Conti was also active alongside Hive and recently emerged Black Basta (17 cases, 7%.) The total number of ransomware attacks in May amounted to 236 (against April’s 289.)

NCC Group is a British information security advisor company based in Manchester. With over 15 thousand clients worldwide, NCC Group is presented on the London Stock Exchange and is one of the constituents of the FTSE 250 Index. Every months, the company issues a “Threat Pulse” – a comprehensive report on the world’s cyber threat landscape.

The post NCC Group’s May 2022 Threat Report Reflects Conti’s End appeared first on Gridinsoft Blog.

The crooks’ weapon struck them back

The YouTube user Malvuln published a chain of videos regarding the exploitation of the breach in popular ransomware. This exploitation is based on how ransomware launches its executable files with high privileges. Exactly, this is the exploit inside of the other exploit. Let’s check out how that works.

Originally, when crooks launch the ransomware in the infected system, they palm off the malicious DLL to a legit program. Any application requires dynamic-link libraries to function, and if the used DLLs are not checked diligently, it is easy to substitute the original one with the library you need. Cybercriminals know about that breach and know which apps are vulnerable. Giving the malicious DLL to the legit program allows the ransomware to be launched with increased privileges.

However, ransomware itself is not ideal. As the researcher mentioned above figured out, it is also vulnerable to DLL interception. However, the exact method is different compared to how cybercriminals use it. That vulnerability lies in the way of naming the libraries used by ransomware to run the ciphering process. A specially compiled DLL named the one used by ransomware ends the encryption process right after its beginning.

How can that be used?

As Malvuln showed in his videos, ransomware of 6 popular cybercrime gangs is vulnerable to that security breach. Those are AvosLocker, LokiLocker, Black Basta, REvil, Conti, and LockBit. All of them are well-known, and each of them attacks hundreds of companies each month. Some of them may ask for up to $1M ransoms. Using such a vulnerability, companies may easily protect themselves from having their files encrypted. Still, spyware those groups usually inject together with ransomware is still able to extract a lot of valuable data.

Adding a small DLL file on each computer in the network is pretty easy, and hard to detect for threat actors. In contrast to security solutions that are running in the network, DLL is not active and cannot be detected. Hence, crooks may get a very unpleasant surprise. Nonetheless, that does not mean that you can throw away your security solutions. EDR systems may be very effective against spyware, at least with data extraction. Keep in mind that you will likely pay a much bigger sum of money as a ransom than you will spend on an endpoint protection solution.

Thoughts on ransomware vulnerability

Cybercriminals like ones that belong to the named gangs love their brainchildren. And having such a vulnerability, they will not delay fixing it. That is their bread and butter, and they depend on that money flow. Hence, deploying the DLL as I have offered above is not a panacea. Sooner or later (likely sooner) that breach will be fixed, as it was to all other vulnerabilities that leaked to the public. And still – no one names a way to stop the complementary spyware.

This or another way, having the chance to stop the ransomware and prevent disruptions is better than not having it.

The post Vulnerabilities Allow Hijacking of Most Ransomware to Prevent File Encryption appeared first on Gridinsoft Blog.