Black Basta Ransomware Compromises Wielton S.A., Steals 650GB Data
Incident Date:
June 17, 2024
Overview
Title
Black Basta Ransomware Compromises Wielton S.A., Steals 650GB Data
Victim
Wielton S.A.
Attacker
Blackbasta
Location
First Reported
June 17, 2024
Analysis of the Black Basta Ransomware Attack on Wielton S.A.
Company Profile: Wielton S.A.
Wielton S.A., a leading European manufacturer based in Poland, specializes in the production of trailers, semi-trailers, and truck bodies. With a workforce of approximately 3,450 employees and a revenue of around 2.92 billion PLN, Wielton stands as one of the top five manufacturers in Europe and top ten globally in the transport solutions sector. The company's extensive product range and its strategic acquisitions have significantly broadened its market presence, making it a notable player in the transportation, construction, agriculture, and distribution sectors.
Details of the Ransomware Attack
The Black Basta group, known for its targeted ransomware attacks, recently compromised Wielton S.A., resulting in the theft of approximately 650GB of sensitive data. This data includes corporate information, financial records, project details, and technical drawings, stored across multiple server folders. The breach has raised serious concerns about the company's data security and operational integrity.
Profile of the Black Basta Group
Emerging in early 2022, Black Basta is believed to be an offshoot of the defunct Conti group. The group is notorious for its double extortion tactics, involving data encryption and threats to leak stolen data if ransoms are not paid. Black Basta's operations are characterized by the use of sophisticated tools such as QakBot and Mimikatz for lateral movement and credential harvesting, and Cobalt Strike Beacons for maintaining control over compromised systems.
Potential Vulnerabilities and System Penetration
Wielton S.A.'s extensive digital infrastructure, necessary for its large-scale manufacturing operations, may have presented multiple attack vectors for Black Basta. The group likely exploited vulnerabilities in the company’s network, possibly through spear-phishing or exploiting outdated systems, to gain initial access. Post-access, they would have moved laterally across the network, harvesting credentials and escalating privileges to deploy their ransomware and exfiltrate data.
Sources:
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.