Last Week in Ransomware: 12.16.2024

Last week in ransomware news we saw Black Basta hit BT Group, Romanian energy producer under attack, and the US sanction a Chinese security firm for Ragnarok ransomware attacks...

Black Basta Ransomware Hits BT Group

BT Group, the UK’s leading telecommunications provider, has confirmed a ransomware attack on its BT Conferencing division by the Black Basta group.  

While BT insists the attack did not impact its core operations or live conferencing services, it took affected servers offline as a precaution. The company described the incident as an “attempted compromise,” stating that the breach was isolated and swiftly contained.

However, Black Basta claims a much more severe breach, alleging they exfiltrated 500GB of sensitive data, including financial records, NDAs, and personal documents.  

The group has released screenshots of stolen documents and threatened to publish the data on the dark web. BT is investigating the incident alongside regulatory and law enforcement bodies.

Black Basta, a Ransomware-as-a-Service (RaaS) group believed to have ties to disbanded gangs like Conti and REvil, is notorious for its technical sophistication.  

It employs double-extortion tactics, demanding ransoms and threatening to leak stolen data. The group uses advanced tools like ChaCha20 encryption, Qakbot malware, and exploits vulnerabilities such as VMware ESXi and PrintNightmare.

With ransom demands reaching up to $9 million, Black Basta has targeted sectors including telecommunications, healthcare, and manufacturing, amassing over $107 million in revenue from more than 500 attacks.  

READ MORE HERE

Romanian Energy Producer Suffers Attack

Electrica Group, Romania’s leading electricity distributor serving over 3.8 million customers, is responding to a ransomware attack described as "in progress."

Established in 1998 and listed on the Bucharest and London stock exchanges, Electrica plays a vital role in Romania’s energy infrastructure, offering distribution, maintenance, and energy services across Transilvania and Muntenia.

The company confirmed the attack in a statement to investors, highlighting that critical systems, including SCADA systems used for network control and monitoring, remain unaffected.  

CEO Alexandru Aurelian Chirita attributed minor service disruptions to proactive measures designed to protect internal infrastructure and ensure the security of operations and consumer data. Electrica is collaborating with national cybersecurity authorities to investigate and mitigate the incident.

Romania's Ministry of Energy corroborated that operational systems were not compromised. However, the attack underscores the growing threat of ransomware targeting global energy providers.  

Similar recent incidents include Costa Rica’s RECOPE, which reverted to manual operations following an attack, Schneider Electric’s breach involving 40GB of sensitive data theft, and ENGlobal Corporation’s disclosure of a ransomware incident in U.S. regulatory filings.

Energy providers are increasingly vulnerable as cybercriminals exploit critical systems to exfiltrate technical blueprints, configurations, and operational protocols. These attacks can disrupt services, compromise public safety, and threaten national security by exposing operational technology (OT) systems to sabotage.

With ransomware evolving into a multi-billion-dollar enterprise leveraging advanced tools like zero-day exploits and cross-platform malware, governments must treat these threats as critical security risks and bolster counter-ransomware efforts to protect essential infrastructure.

READ MORE HERE

US Sanctions Chinese Firm for Ragnarok

The U.S. Treasury Department has sanctioned Chinese cybersecurity firm Sichuan Silence and employee Guan Tianfeng, alias "GBigMao," for their involvement in the April 2020 Ragnarok ransomware attacks.  

The attacks targeted critical U.S. infrastructure and thousands of global systems, exploiting a zero-day vulnerability (CVE-2020-12271) in Sophos XG firewalls. Approximately 81,000 firewalls were compromised worldwide, including 23,000 in the U.S., with 36 protecting critical infrastructure.

Guan discovered the vulnerability, which was leveraged to steal data and deploy Ragnarok ransomware. Among the affected entities was a U.S. energy company, where timely intervention averted severe consequences.  

The attackers employed a "dead man switch" mechanism to trigger widespread ransomware deployment, neutralized by Sophos through a hotfix.

The Department of Justice (DOJ) has unsealed an indictment against Guan, and the State Department has offered a $10 million reward for information on him or Sichuan Silence. In addition to cyberattacks, Sichuan Silence has been linked to disinformation campaigns, including COVID-19 misinformation, dismantled by Meta in 2021.

The sanctions freeze U.S.-based assets associated with the firm and bar American entities from engaging with it, aiming to disrupt its operations.

This incident underscores the blurred lines between cybercriminal and state-sponsored operations. Chinese-linked groups like Sichuan Silence and Advanced Persistent Threats (APTs) such as Volt Typhoon exploit vulnerabilities for both financial gain and strategic purposes.  

Targeting critical U.S. infrastructure demonstrates a dual-purpose approach, testing vulnerabilities while advancing geopolitical objectives. The U.S. Treasury’s actions highlight the growing threat of state-backed ransomware and its implications for national security.

READ MORE HERE

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.