Blackbasta Ransomware Attack on CSW GmbH

Blackbasta, a ransomware group, has claimed responsibility for an attack on CSW GmbH, a German company operating in the Business Services sector. CSW GmbH has been a provider of IT solutions for over four decades, offering a wide range of services including server and storage systems, network services, security solutions, and client systems. Additionally, they provide DATEV solutions integrated into the company's IT infrastructure and managed printing services, among others.

The specific size of CSW GmbH is not detailed in available search results, but the company's long-standing presence and the breadth of services they offer imply a significant footprint in the German market. The exact vulnerabilities exploited in the attack are not disclosed, yet the incident with Blackbasta suggests that the company's substantial data and market position may have made it an attractive target.

Blackbasta employs a variety of tactics to infiltrate and maintain presence within a victim's network, including lateral movement and persistence. The group is known to utilize remote monitoring and management (RMM) software such as AnyDesk, LogMeIn, and Atera to sustain their access. A critical step in their attack methodology involves deactivating antivirus protocols by altering Group Policy Objects once they have control over the domain controller.

This incident is indicative of the escalating trend of ransomware attacks targeting businesses, characterized by increasing frequency and sophistication. Both the FBI and CISA have emphasized the importance of organizations promptly reporting ransomware incidents to the FBI's Internet Crime Complaint Center (IC3) or to CISA's Incident Reporting System or 24/7 Operations Center, as a measure to combat this rising threat.

Sources

• CISA Cybersecurity Advisory AA23-061A
• CISA Cybersecurity Advisory AA24-060A