Black Basta Ransomware Targets Grupo Cadarso

Overview of the Attack

In May 2024, Grupo Cadarso, a Spanish real estate and property management company, fell victim to a ransomware attack orchestrated by the Black Basta group. The attackers claimed to have exfiltrated approximately 570 GB of sensitive data, which includes corporate documents, financial records, client data, and personal identification documents. This attack has exposed significant vulnerabilities within the company's security infrastructure.

About Grupo Cadarso

Grupo Cadarso, founded in 1948, is a prominent Spanish company specializing in real estate development, construction, and property management. Over its 75-year history, the company has expanded its operations to include hospitality, energy, and technology sectors. Grupo Cadarso is known for its strong family legacy and commitment to quality, boasting a workforce of 223 employees and generating annual revenue of $247 million. The company operates in Spain, Portugal, and Andorra, and distributes international luxury watch brands.

Details of the Attack

The Black Basta ransomware group employs a double extortion tactic, encrypting the victim's data and threatening to leak it publicly if the ransom is not paid. In the case of Grupo Cadarso, the attackers exfiltrated a vast array of sensitive information and published samples of the data on their dark web leak site to pressure the company into complying with their demands.

About the Black Basta Ransomware Group

Black Basta is a ransomware-as-a-service (RaaS) operation that emerged in early 2022. The group is believed to have connections to the defunct Conti ransomware group, sharing similar tactics and techniques. Black Basta targets organizations across the globe, including in the US, Europe, and Australia, using sophisticated methods to gain initial access, such as spear-phishing, exploiting vulnerabilities, and purchasing network access from initial access brokers.

Once inside a network, Black Basta employs tools like QakBot, Mimikatz, and Cobalt Strike to move laterally, harvest credentials, and establish command and control. The group disables security tools, deletes shadow copies, and exfiltrates data before encrypting the files using a combination of ChaCha20 and RSA-4096 encryption algorithms.

Impact on Grupo Cadarso

The ransomware attack on Grupo Cadarso highlights the persistent threat of cybercrime to businesses, especially those handling large volumes of sensitive data. The exposure of such data not only poses a significant risk to the company's operational integrity but also threatens its reputation and client trust.

Sources:

• Apollo.io - Grupo Cadarso
• Flashpoint.io - Black Basta Ransomware
• Sangfor.com - Black Basta Ransomware Attack