blackbasta attacks CSW GmbH

Incident Date:

October 17, 2022

World map



blackbasta attacks CSW GmbH






Gera, Germany

, Germany

First Reported

October 17, 2022

Blackbasta Ransomware Attack on CSW GmbH

Blackbasta, a ransomware group, has claimed responsibility for an attack on CSW GmbH, a German company operating in the Business Services sector. CSW GmbH has been a provider of IT solutions for over four decades, offering a wide range of services including server and storage systems, network services, security solutions, and client systems. Additionally, they provide DATEV solutions integrated into the company's IT infrastructure and managed printing services, among others.

The specific size of CSW GmbH is not detailed in available search results, but the company's long-standing presence and the breadth of services they offer imply a significant footprint in the German market. The exact vulnerabilities exploited in the attack are not disclosed, yet the incident with Blackbasta suggests that the company's substantial data and market position may have made it an attractive target.

Blackbasta employs a variety of tactics to infiltrate and maintain presence within a victim's network, including lateral movement and persistence. The group is known to utilize remote monitoring and management (RMM) software such as AnyDesk, LogMeIn, and Atera to sustain their access. A critical step in their attack methodology involves deactivating antivirus protocols by altering Group Policy Objects once they have control over the domain controller.

This incident is indicative of the escalating trend of ransomware attacks targeting businesses, characterized by increasing frequency and sophistication. Both the FBI and CISA have emphasized the importance of organizations promptly reporting ransomware incidents to the FBI's Internet Crime Complaint Center (IC3) or to CISA's Incident Reporting System or 24/7 Operations Center, as a measure to combat this rising threat.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.