Black Basta Leverages Microsoft Teams to Infiltrate Networks

The Black Basta ransomware group has advanced its social engineering tactics by leveraging Microsoft Teams to impersonate IT support, contacting employees under the guise of helping resolve a spam attack.  

‍

A recent campaign saw attackers flood targeted employees’ inboxes with non-malicious emails—such as newsletters and sign-up confirmations—to overwhelm them, Bleeping Computer reports.

‍

Following this, attackers posed as the company’s IT help desk, offering assistance with the spam issue. During these calls, they convinced employees to install AnyDesk or use Windows Quick Assist, granting remote access.

‍

Once in, the attackers deployed additional tools like ScreenConnect, NetSupport Manager, and Cobalt Strike to maintain persistent access and control over the device. With this access, Black Basta affiliates moved laterally through the network, elevating privileges, exfiltrating data, and ultimately deploying ransomware.  

‍

By installing Cobalt Strike, they could control compromised devices, facilitating deeper network infiltration and ensuring a foothold for further malicious activity.

‍

Takeaway: According to the Ransomware Malicious Quartile report, Black Basta is a RaaS group that emerged in early 2022, with some cybersecurity experts suggesting that it may have evolved from former members of the disbanded Conti and REvil groups.  

‍

Known for its aggressive tactics and advanced technical expertise, Black Basta has been exploiting vulnerabilities such as ConnectWise (CVE-2024-1709) and using stolen credentials sourced from Initial Access Brokers (IABs) to breach networks. They frequently employ social engineering techniques, like phishing emails and other deceptive methods, to bypass security defenses and infiltrate target organizations.

‍

Operating under a double extortion model, Black Basta routinely exfiltrates sensitive data from victims to heighten the pressure for ransom payments. If demands are not met, they threaten to publish or sell the stolen information, significantly increasing the financial, operational, and reputational risks for the targeted organizations.  

‍

Black Basta targets specific high-stakes sectors, including finance, healthcare, and manufacturing, where there is a heightened potential for large ransom payouts. The group collaborates with a small, carefully vetted network of affiliates, ensuring tighter control over their operations, maintaining high levels of operational security, and executing highly targeted attacks.

‍

Black Basta's ransomware is sophisticated, targeting both Windows and Linux systems and frequently exploiting vulnerabilities in VMware ESXi, a widely used enterprise server platform. Written in C++, their ransomware uses ChaCha20 for data encryption and RSA-4096 to encrypt the encryption key, enabling rapid, robust encryption across victim networks.  

‍

Known for its meticulous approach to attack execution, the group deploys advanced tactics, including Qakbot malware and vulnerabilities like PrintNightmare. They also exploit insecure Remote Desktop Protocol (RDP) configurations, a common vulnerability for ransomware entry.  

‍

To evade detection, Black Basta can disable security defenses like Windows Defender by using batch files with PowerShell commands and Group Policy Objects (GPOs) to deactivate anti-malware protections.

‍

A highly selective group, Black Basta carefully recruits affiliates, working exclusively with trusted attackers to conduct their operations with precision. As of 2024, Black Basta remains one of the most prolific ransomware groups, employing unique tactics, techniques, and procedures (TTPs) for network infiltration, lateral movement, data exfiltration, and ransomware deployment.  

‍

The group sustains an active leak site where they publish data from victims who refuse to pay. On average, they retain around 14% of the ransom, distributing the remaining portion among affiliates.  

‍

Ransom demands vary widely, with some cases reaching as high as $9 million. Approximately 35% of targeted organizations reportedly pay the ransom, allowing Black Basta to accumulate over $107 million from more than 500 victims within less than two years, solidifying their presence as a formidable threat in the ransomware landscape.

‍

Black Basta typically targets manufacturing, transportation, construction and related services, telecommunications, the automotive sector, and healthcare providers. Notable victims include GPI Corporate, Lyon Terminal, East Coast Fisheries, Keystone Insurance Services, Spectra Industrial, Kansas Medical Center, Danbury Public Schools, BTU, Advanced Fiberglass Industries, ANL Packaging.

‍

‍

Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.