Ransomware Attack on Northern Safety Co., Inc. by BlackBasta

Overview of Northern Safety Co., Inc.

Northern Safety Co., Inc. is a leading distributor of safety and industrial supplies in the United States, serving sectors such as construction, manufacturing, utilities, and healthcare. Founded in 1983 and headquartered in Frankfort, New York, the company operates under the Würth Group of North America. Northern Safety is renowned for its extensive range of personal protective equipment (PPE) and safety products, including gloves, hard hats, safety glasses, and respiratory protection. The company also offers risk assessment and safety training services, emphasizing workplace safety and regulatory compliance.

Details of the Ransomware Attack

Northern Safety Co., Inc. recently fell victim to a ransomware attack orchestrated by the cybercriminal group BlackBasta. The attack resulted in the compromise of approximately 750GB of sensitive data, including corporate information, financial records, human resources files, and personal data of users and employees. The breach has potentially exposed critical information that could significantly impact the company's operations and its customers. The company is currently assessing the extent of the damage and working on measures to mitigate the impact of this significant security breach.

About BlackBasta

BlackBasta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. The group is believed to have connections to the defunct Conti threat actor group. BlackBasta targets organizations in the US, Japan, Canada, the United Kingdom, Australia, and New Zealand, employing a double extortion tactic. This involves encrypting the victim’s critical data and threatening to publish sensitive data on their public leak site if the ransom is not paid. The group uses sophisticated methods to gain initial access, including spear-phishing campaigns and buying network access.

Penetration and Impact

BlackBasta employs several strategies to penetrate target networks, such as spear-phishing campaigns, insider information, and buying network access. Once inside, they use tools like QakBot and Mimikatz for lateral movement and credential harvesting. The group maintains control over compromised systems using tools like Cobalt Strike Beacons and SystemBC. Before encrypting files, BlackBasta disables security tools, deletes shadow copies, and exfiltrates sensitive data to maximize their leverage. The attack on Northern Safety Co., Inc. underscores the vulnerabilities that even well-established companies face in the evolving landscape of cyber threats.

Sources

• Northern Safety Co., Inc. - About Us
• BlackBasta Ransomware Protection - BlackBerry
• Understanding BlackBasta Ransomware - Flashpoint
• BlackBasta Ransomware Attack - Sangfor
• BlackBasta Ransomware Victim - InfoSecurity Magazine