Since the emergence of the Black-Basta group in 2022, more and more companies have been facing the aggressive attack methods employed by this group. The attacks are targeting various industries and are based on highly developed encryption techniques with the sole purpose of locking data and demanding ransom payments.
These attacks often follow the principle of double extortion, where in addition to encrypting data, the attackers threaten to release sensitive information to exert additional pressure on the victims.
The group sends out large-scale spam campaigns to deceive employees and gain access to networks. They often pose as IT helpdesk employees in chat conversations, asking for the installation of remote access software like Anydesk to gain direct access to systems.
Towards the end of 2024, there were a series of attacks linked to the Black-Basta group aimed at extorting money during the holiday season. This timeframe is particularly sensitive as many companies operate with reduced staff during the holidays, limiting their capacity for countermeasures.
To protect against these relatively new attack methods by the Black-Basta group, IT leaders and CISOs need to instruct all employees to critically evaluate emails. Employees should carefully check the sender’s email addresses and be particularly skeptical of unknown or unusual addresses. Clicking on links or attachments in suspicious messages is a big no-go and can lead to unforeseen damages. It is also advisable to scrutinize communication channels like Microsoft Teams; any external or unverified users posing as IT staff in chats should be questioned and any unusual chat requests reported to the IT department immediately.
Moreover, installing software without consulting the IT department, especially remote access tools that grant extensive access rights to third parties, should be avoided. Employee awareness and training are also crucial. Regular security awareness training sessions help employees stay informed about current attack methods and sharpen their awareness of typical signals.
IT departments can take targeted measures to enhance security in light of the recent wave of attacks. Implementing white-listing in Microsoft Teams can ensure that only trusted external users or domains interact with the company. External access should be restricted to specific, verified domains while blocking all others.
Blocking the Anydesk domain in the proxy or firewall prevents the software from being downloaded or used within the company network, making it significantly harder for attackers to use the software as an attack vector. Disabling file downloads in Teams can prevent users from downloading potentially harmful files distributed by attackers through Teams chats, reducing the attack surface and protecting against malware installation.
It is essential to recognize that these are just some of the attack methods used by the group, and for comprehensive security, a solid foundational protection strategy across the entire attack surface is crucial.
In conclusion, as the threat of ransomware attacks continues to evolve and grow, it is imperative for companies to stay vigilant, educate their employees, and implement robust security measures to protect against such threats effectively.