Black Basta Ransomware Attack Forces Some BT Group Systems Offline

BT Group, the UK’s leading telecommunications provider, confirmed that its BT Conferencing division experienced a Black Basta ransomware attack, prompting the shutdown of certain servers.  

While the company insists the incident did not impact BT Group’s core operations or BT Conferencing’s live services, questions remain regarding the extent of the breach.  

“We identified an attempt to compromise our BT Conferencing platform. This incident was restricted to specific elements of the platform, which were rapidly taken offline and isolated,” a BT spokesperson said, Bleeping Compuuter reports.

Although BT claims it was only an attempted compromise, the company acknowledged taking the affected servers offline.  

Meanwhile, the Black Basta ransomware gang alleges a much more severe breach, claiming they exfiltrated 500GB of sensitive data, including financial records, organizational details, personal documents, NDAs, and other confidential information.  

The group backed their claims with screenshots of stolen documents and threatened to leak the data on their dark web site next week. BT Group is investigating the incident with regulatory and law enforcement bodies. The company reiterated,

“The impacted servers do not support live BT Conferencing services, which remain fully operational.” However, the ransomware group’s claims suggest this breach may be more extensive than BT has acknowledged publicly.

Takeaway: According to the Ransomware Malicious Quartile report, Black Basta, a Ransomware-as-a-Service (RaaS) group that surfaced in early 2022, is widely believed to be an offshoot of the disbanded Conti and REvil gangs.  

Known for its technical sophistication and aggressive tactics, the group targets Windows and Linux systems, often exploiting vulnerabilities such as VMware ESXi flaws and insecure Remote Desktop Protocol (RDP) configurations.  

Black Basta employs a double extortion model, exfiltrating sensitive data to pressure victims into paying ransoms, with the stolen data published or sold if demands are not met.

The group's ransomware, written in C++, uses robust ChaCha20 encryption for files and RSA-4096 to secure encryption keys. They enhance their attacks by leveraging malware like Qakbot and exploiting vulnerabilities such as PrintNightmare.  

Additionally, they use advanced methods to disable security measures, including PowerShell commands and Group Policy Objects (GPOs) to neutralize tools like Windows Defender, making their operations challenging to detect and mitigate.

Black Basta is highly selective in recruiting affiliates, collaborating only with trusted partners to maintain operational security. Their ransom demands can reach up to $9 million, with an estimated 35% of victims choosing to pay, resulting in over $107 million in revenue from more than 500 attacks.

Targeting sectors like manufacturing, healthcare, telecommunications, and transportation, Black Basta has solidified its position as one of the most prolific ransomware groups, leveraging unique techniques for ingress, lateral movement, data exfiltration, and payload deployment.  

Notable Victims inlcude Southern Water, BionPharma, M&M Industries, coca Cola, Yellow Pages Canada, AgCo, Capita, ABB, Merchant Schmidt, Tag Aviation, Blount Fine Foods.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.