Black Basta Ransomware Attack on Toronto Public Library

The Black Basta ransomware group has claimed responsibility for a major attack on the Toronto Public Library that took down the library’s web domain and certain online services. According to the Library's update on November 8th, "We are actively addressing a cybersecurity incident that came to our attention on Saturday, October 28. We can confirm that the incident is a ransomware attack."

The same update confirms that several services are inaccessible, while the Library branches are open as scheduled. The announcement continues that "There continues to be no evidence at this time that the personal information of our staff or customers has been compromised." Toronto Public Library is a public library system in Toronto, Ontario.

It is the largest public library system in Canada, and in 2008, it averaged a higher circulation per capita than any other public library system internationally, making it the largest neighborhood-based library system in the world. Within North America, it also had the highest circulation and visitors when compared to other large urban systems. Established as the library of the Mechanics' Institute in 1830, the Toronto Public Library now consists of 100 branch libraries and has over 12 million items in its collection.

About Black Basta Ransomware

Black Basta is a RaaS that emerged in early 2022 and is assessed by some researchers to be an offshoot of the disbanded Conti and REvil attack groups. The group routinely exfiltrates sensitive data from victims for additional extortion leverage. Black Basta engages in highly targeted attacks and is assessed to only work with a limited group of highly vetted affiliate attackers.

Black Basta has quickly became one of the most prolific attack groups in 2023 and was observed leveraging unique TTPs for ingress, lateral movement, data exfiltration data, and deployment of ransomware payloads. Ransom demands vary depending on the targeted organization with reports that they can be as high as $2 million dollars. Black Basta continues to evolve their RaaS platform, with ransomware payloads that can infect systems running both Windows and Linux systems. Black Basta is particularly adept at exploiting vulnerabilities in VMware ESXi running on enterprise servers. Black Basta ransomware is written in C++, can target both Windows and Linux systems, encrypts data with ChaCha20, and then the encryption key is encrypted with RSA-4096 for rapid encryption of the targeted network.

In some cases, Black Basta leverages malware strains like Qakbot and exploits such as PrintNightmare during the infection process. Black Basta also favors abuse of insecure Remote Desktop Protocol (RDP) deployments, one of the leading infection vectors for ransomware. Black Basta typically targets manufacturing, transportation, construction and related services, telecommunications, the automotive sector, and healthcare providers. Black Basta also employs a double extortion scheme and maintains an active leaks website where they post exfiltrated data if an organization declines to pay the ransom demand.