Ransomware Attack on Northern Safety Co., Inc. by BlackBasta Exposes 750GB of Data
Incident Date:
July 15, 2024
Overview
Title
Ransomware Attack on Northern Safety Co., Inc. by BlackBasta Exposes 750GB of Data
Victim
Northern Safety Co., Inc.
Attacker
Blackbasta
Location
First Reported
July 15, 2024
Ransomware Attack on Northern Safety Co., Inc. by BlackBasta
Overview of Northern Safety Co., Inc.
Northern Safety Co., Inc. is a leading distributor of safety and industrial supplies in the United States, serving sectors such as construction, manufacturing, utilities, and healthcare. Founded in 1983 and headquartered in Frankfort, New York, the company operates under the Würth Group of North America. Northern Safety is renowned for its extensive range of personal protective equipment (PPE) and safety products, including gloves, hard hats, safety glasses, and respiratory protection. The company also offers risk assessment and safety training services, emphasizing workplace safety and regulatory compliance.
Details of the Ransomware Attack
Northern Safety Co., Inc. recently fell victim to a ransomware attack orchestrated by the cybercriminal group BlackBasta. The attack resulted in the compromise of approximately 750GB of sensitive data, including corporate information, financial records, human resources files, and personal data of users and employees. The breach has potentially exposed critical information that could significantly impact the company's operations and its customers. The company is currently assessing the extent of the damage and working on measures to mitigate the impact of this significant security breach.
About BlackBasta
BlackBasta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. The group is believed to have connections to the defunct Conti threat actor group. BlackBasta targets organizations in the US, Japan, Canada, the United Kingdom, Australia, and New Zealand, employing a double extortion tactic. This involves encrypting the victim’s critical data and threatening to publish sensitive data on their public leak site if the ransom is not paid. The group uses sophisticated methods to gain initial access, including spear-phishing campaigns and buying network access.
Penetration and Impact
BlackBasta employs several strategies to penetrate target networks, such as spear-phishing campaigns, insider information, and buying network access. Once inside, they use tools like QakBot and Mimikatz for lateral movement and credential harvesting. The group maintains control over compromised systems using tools like Cobalt Strike Beacons and SystemBC. Before encrypting files, BlackBasta disables security tools, deletes shadow copies, and exfiltrates sensitive data to maximize their leverage. The attack on Northern Safety Co., Inc. underscores the vulnerabilities that even well-established companies face in the evolving landscape of cyber threats.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.