Thompson Creek Window Company Hit by BlackBasta Ransomware, 750GB Data Breach
Thompson Creek Window Company Hit by BlackBasta Ransomware Attack
Company Overview
Thompson Creek Window Company, based in Lanham, Maryland, is a prominent home improvement firm specializing in the manufacturing and installation of replacement windows, doors, gutters, siding, and roofing. Established in 1980, the company has built a reputation for providing high-quality products and services tailored to enhance the aesthetic appeal and value of homes. The company employs a substantial workforce and is recognized for its commitment to customer satisfaction and innovation in home improvement solutions.
Attack Overview
Thompson Creek Window Company has fallen victim to a ransomware attack orchestrated by the BlackBasta group. The attackers have compromised a substantial amount of data, totaling 750GB. The stolen data encompasses a wide range of sensitive information, including corporate data, financial records, and accounting details. Additionally, the breach has exposed human resources information such as hiring data, payroll records, personal tax forms, and various agreements. Personal documents belonging to both employees and clients have also been compromised. The extensive nature of the data breach poses significant risks to the company's operations and the privacy of individuals associated with it.
About BlackBasta Ransomware Group
BlackBasta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. The group is believed to have connections to the defunct Conti threat actor group due to similarities in their approach to malware development, leak sites, and communications for negotiation, payment, and data recovery. BlackBasta targets organizations in the US, Japan, Canada, the United Kingdom, Australia, and New Zealand in highly targeted attacks. They employ a double extortion tactic, encrypting their victim’s critical data and vital servers and threatening to publish sensitive data on their public leak site if the ransom is not paid.
Penetration and Vulnerabilities
BlackBasta employs several strategies to gain initial access to target networks, including spear-phishing campaigns, insider information, and buying network access. Once inside a network, the group uses tools like QakBot, Mimikatz, and exploiting vulnerabilities to move laterally and harvest credentials. For maintaining control over compromised systems, BlackBasta uses tools like Cobalt Strike Beacons, SystemBC, and Rclone. Before encrypting files, BlackBasta takes steps to maximize their leverage, including disabling security tools, deleting shadow copies, and exfiltrating sensitive data.
Sources
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!