DISH Hacked - Websites are BACK ONLINE!

Since no one else has posted this;
(This site is a service that is selling protection, but very informative)


Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.

Black Basta affiliates have been very active deploying Black Basta and extorting organizations since the ransomware first emerged. Although the Black Basta affiliates have only been active for the past couple of months, based on the information posted on their leak site, they have compromised over 75 organizations at the time of this publication. Unit 42 has also worked on several Black Basta incident response cases.

The ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The faster the ransomware encrypts, the more systems can potentially be compromised before defenses are triggered. It is a key factor affiliates look for when joining a Ransomware-as-a-Service group.

Black Basta is ransomware as a service (RaaS) that leverages double extortion as part of its attacks. The attackers not only execute ransomware but also exfiltrate sensitive data and threaten to release it publicly if the ransom demands are not met. The threat actors behind the ransomware deploy a name-and-shame approach to their victim, where they use a Tor site, Basta News, to list all of the victims who have not paid the ransom.

Although the Black Basta RaaS has only been active for a couple of months, according to its leak site, it had compromised over 75 organizations at the time of this publication. At least 20 victims were posted to its leak site in the first two weeks of the ransomware’s operation, which indicates the group likely is experienced in the ransomware business and has a steady source of initial access.

Unit 42 has observed the Black Basta ransomware group using QBot as an initial point of entry and to move laterally in compromised networks. QBot, also known as Qakbot, is a Windows malware strain that started as a banking trojan and evolved into a malware dropper. It has been used by other ransomware groups, including MegaCortex, ProLock, DoppelPaymer and Egregor. While these ransomware groups used QBot for initial access, the Black Basta group was observed using it for both initial access and to spread laterally throughout the network.

word-image-84.png
 
Since no one else has posted this;
(This site is a service that is selling protection, but very informative)


Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.

Black Basta affiliates have been very active deploying Black Basta and extorting organizations since the ransomware first emerged. Although the Black Basta affiliates have only been active for the past couple of months, based on the information posted on their leak site, they have compromised over 75 organizations at the time of this publication. Unit 42 has also worked on several Black Basta incident response cases.

The ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The faster the ransomware encrypts, the more systems can potentially be compromised before defenses are triggered. It is a key factor affiliates look for when joining a Ransomware-as-a-Service group.

Black Basta is ransomware as a service (RaaS) that leverages double extortion as part of its attacks. The attackers not only execute ransomware but also exfiltrate sensitive data and threaten to release it publicly if the ransom demands are not met. The threat actors behind the ransomware deploy a name-and-shame approach to their victim, where they use a Tor site, Basta News, to list all of the victims who have not paid the ransom.

Although the Black Basta RaaS has only been active for a couple of months, according to its leak site, it had compromised over 75 organizations at the time of this publication. At least 20 victims were posted to its leak site in the first two weeks of the ransomware’s operation, which indicates the group likely is experienced in the ransomware business and has a steady source of initial access.

Unit 42 has observed the Black Basta ransomware group using QBot as an initial point of entry and to move laterally in compromised networks. QBot, also known as Qakbot, is a Windows malware strain that started as a banking trojan and evolved into a malware dropper. It has been used by other ransomware groups, including MegaCortex, ProLock, DoppelPaymer and Egregor. While these ransomware groups used QBot for initial access, the Black Basta group was observed using it for both initial access and to spread laterally throughout the network.

word-image-84.png
Any indications this could have been a Black Basta attack?
 
  • Like
Reactions: charlesrshell
Since no one else has posted this;
(This site is a service that is selling protection, but very informative)


Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.

Black Basta affiliates have been very active deploying Black Basta and extorting organizations since the ransomware first emerged. Although the Black Basta affiliates have only been active for the past couple of months, based on the information posted on their leak site, they have compromised over 75 organizations at the time of this publication. Unit 42 has also worked on several Black Basta incident response cases.

The ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The faster the ransomware encrypts, the more systems can potentially be compromised before defenses are triggered. It is a key factor affiliates look for when joining a Ransomware-as-a-Service group.

Black Basta is ransomware as a service (RaaS) that leverages double extortion as part of its attacks. The attackers not only execute ransomware but also exfiltrate sensitive data and threaten to release it publicly if the ransom demands are not met. The threat actors behind the ransomware deploy a name-and-shame approach to their victim, where they use a Tor site, Basta News, to list all of the victims who have not paid the ransom.

Although the Black Basta RaaS has only been active for a couple of months, according to its leak site, it had compromised over 75 organizations at the time of this publication. At least 20 victims were posted to its leak site in the first two weeks of the ransomware’s operation, which indicates the group likely is experienced in the ransomware business and has a steady source of initial access.

Unit 42 has observed the Black Basta ransomware group using QBot as an initial point of entry and to move laterally in compromised networks. QBot, also known as Qakbot, is a Windows malware strain that started as a banking trojan and evolved into a malware dropper. It has been used by other ransomware groups, including MegaCortex, ProLock, DoppelPaymer and Egregor. While these ransomware groups used QBot for initial access, the Black Basta group was observed using it for both initial access and to spread laterally throughout the network.

word-image-84.png
Just one person to d/l one file and click the wrong OK buttons. The bigger issue is that ransomware seems to be adapting to companies not paying.
 
Just one person to d/l one file and click the wrong OK buttons. The bigger issue is that ransomware seems to be adapting to companies not paying.
Yes on both.
I have a friend who worked in IT security. This guy has to add you to his network at his house. You can't just connect with the password.

He was on Steve Jobs' early teams and is very cautious - and fell for the Paypal scam, the first time he got it in his email, got phished and his bank account cleaned out - the bank covered it - but felt really embarrassed by it. I told him, it happens and it shows anyone can make a mistake.
 
Yes on both.
I have a friend who worked in IT security. This guy has to add you to his network at his house. You can't just connect with the password.
Not exactly certain how that helps, as the computer that is infected would be on the network regardless. This would only stop people outside the place from getting on the network.
He was on Steve Jobs' early teams and is very cautious - and fell for the Paypal scam, the first time he got it in his email, got phished and his bank account cleaned out - the bank covered it - but felt really embarrassed by it. I told him, it happens and it shows anyone can make a mistake.
The good news is that Microsoft is making it a bit harder to make just one mistake. In order to make this happen, you need to:
  • take the email seriously
  • download an Excel file
  • enable the file
  • enable macros
I think PDFs can launch stuff on their own though, however, that might not provide as convenient a pathway into Windows as Excel allows through VBA. And you just need one person to do something like open an attachment that has so many red flags you'd think you were in China... but they are color blind.
 
Not exactly certain how that helps, as the computer that is infected would be on the network regardless. This would only stop people outside the place from getting on the network.

The good news is that Microsoft is making it a bit harder to make just one mistake. In order to make this happen, you need to:
  • take the email seriously
  • download an Excel file
  • enable the file
  • enable macros
I think PDFs can launch stuff on their own though, however, that might not provide as convenient a pathway into Windows as Excel allows through VBA. And you just need one person to do something like open an attachment that has so many red flags you'd think you were in China... but they are color blind.
I just read about a guy this morning who was d/l'g PDF's from a Library site and infected his computer with something pretty nasty. He ended up reformatting his C: Drive and losing everything he had saved, etc.

FWIW, this was off an onion site on the Dark Web, using TOR
 
Since no one else has posted this;
(This site is a service that is selling protection, but very informative)


Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.

Black Basta affiliates have been very active deploying Black Basta and extorting organizations since the ransomware first emerged. Although the Black Basta affiliates have only been active for the past couple of months, based on the information posted on their leak site, they have compromised over 75 organizations at the time of this publication. Unit 42 has also worked on several Black Basta incident response cases.

The ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The faster the ransomware encrypts, the more systems can potentially be compromised before defenses are triggered. It is a key factor affiliates look for when joining a Ransomware-as-a-Service group.

Black Basta is ransomware as a service (RaaS) that leverages double extortion as part of its attacks. The attackers not only execute ransomware but also exfiltrate sensitive data and threaten to release it publicly if the ransom demands are not met. The threat actors behind the ransomware deploy a name-and-shame approach to their victim, where they use a Tor site, Basta News, to list all of the victims who have not paid the ransom.

Although the Black Basta RaaS has only been active for a couple of months, according to its leak site, it had compromised over 75 organizations at the time of this publication. At least 20 victims were posted to its leak site in the first two weeks of the ransomware’s operation, which indicates the group likely is experienced in the ransomware business and has a steady source of initial access.

Unit 42 has observed the Black Basta ransomware group using QBot as an initial point of entry and to move laterally in compromised networks. QBot, also known as Qakbot, is a Windows malware strain that started as a banking trojan and evolved into a malware dropper. It has been used by other ransomware groups, including MegaCortex, ProLock, DoppelPaymer and Egregor. While these ransomware groups used QBot for initial access, the Black Basta group was observed using it for both initial access and to spread laterally throughout the network.

word-image-84.png
Read a bit more about Black Basta. It seems they mostly ignore personal users and target companies/corporations, and their ransom demands are usually in the millions. As for any protection from anti virus software, Norton doesn't seem to mention Black Basta at all, but Malwarebytes claims protection from it. Another problem is that this Black Basta seems to be constantly evolving.
 
Read a bit more about Black Basta. It seems they mostly ignore personal users and target companies/corporations, and their ransom demands are usually in the millions. As for any protection from anti virus software, Norton doesn't seem to mention Black Basta at all, but Malwarebytes claims protection from it. Another problem is that this Black Basta seems to be constantly evolving.
Well, it isn't as much as the criminals are evolving to the landscape... as criminals do. When they put locks on car downs, that wasn't the end of car thefts. Computer systems are hidden out of site it is impossible to really know what is going on in a computer. This makes it a bit easier to mess around with them, unlike a car, where someone would notice they were inside the car with you.

So currently, the plan is "the cloud" and ridiculous levels of redundant backup. The cloud "saves" money by reducing equipment in an office. And the backup stuff reduces IT tasks, so they can manage other parts of the IT sphere... until people keep needing files brought back to life. Ransomware will find a way around this and adapt again. It is a perpetually moving target.
 
Read a bit more about Black Basta. It seems they mostly ignore personal users and target companies/corporations, and their ransom demands are usually in the millions. As for any protection from anti virus software, Norton doesn't seem to mention Black Basta at all, but Malwarebytes claims protection from it. Another problem is that this Black Basta seems to be constantly evolving.
I read last night that the most current intel shows members are from other, now dark Cyber attack organizations, one in particular, from Russia
 
  • Like
Reactions: charlesrshell
I read last night that the most current intel shows members are from other, now dark Cyber attack organizations, one in particular, from Russia
This is going to become a huge problem with the expansion of real AI. Ransomware and what it becomes down the road will be a mob industry.

Richard Clarke was warning of this 20+ years ago.
 
Top