Black Basta Ransomware Targets Grupo Cadarso

Incident Date:

May 20, 2024

World map



Black Basta Ransomware Targets Grupo Cadarso


Grupo Cadarso




Barcelona, Spain

, Spain

First Reported

May 20, 2024

Black Basta Ransomware Targets Grupo Cadarso

Overview of the Attack

In May 2024, Grupo Cadarso, a Spanish real estate and property management company, fell victim to a ransomware attack orchestrated by the Black Basta group. The attackers claimed to have exfiltrated approximately 570 GB of sensitive data, which includes corporate documents, financial records, client data, and personal identification documents. This attack has exposed significant vulnerabilities within the company's security infrastructure.

About Grupo Cadarso

Grupo Cadarso, founded in 1948, is a prominent Spanish company specializing in real estate development, construction, and property management. Over its 75-year history, the company has expanded its operations to include hospitality, energy, and technology sectors. Grupo Cadarso is known for its strong family legacy and commitment to quality, boasting a workforce of 223 employees and generating annual revenue of $247 million. The company operates in Spain, Portugal, and Andorra, and distributes international luxury watch brands.

Details of the Attack

The Black Basta ransomware group employs a double extortion tactic, encrypting the victim's data and threatening to leak it publicly if the ransom is not paid. In the case of Grupo Cadarso, the attackers exfiltrated a vast array of sensitive information and published samples of the data on their dark web leak site to pressure the company into complying with their demands.

About the Black Basta Ransomware Group

Black Basta is a ransomware-as-a-service (RaaS) operation that emerged in early 2022. The group is believed to have connections to the defunct Conti ransomware group, sharing similar tactics and techniques. Black Basta targets organizations across the globe, including in the US, Europe, and Australia, using sophisticated methods to gain initial access, such as spear-phishing, exploiting vulnerabilities, and purchasing network access from initial access brokers.

Once inside a network, Black Basta employs tools like QakBot, Mimikatz, and Cobalt Strike to move laterally, harvest credentials, and establish command and control. The group disables security tools, deletes shadow copies, and exfiltrates data before encrypting the files using a combination of ChaCha20 and RSA-4096 encryption algorithms.

Impact on Grupo Cadarso

The ransomware attack on Grupo Cadarso highlights the persistent threat of cybercrime to businesses, especially those handling large volumes of sensitive data. The exposure of such data not only poses a significant risk to the company's operational integrity but also threatens its reputation and client trust.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.