May 13, 2024 at 06:22AM
Black Basta ransomware has targeted over 500 entities in North America, Europe, and Australia since April 2022. Affiliates utilize common access techniques and a double-extortion model, without initial ransom demands. The group is linked to 28 of 373 ransomware attacks in April 2024 and increased activity in Q1 2024. The ransomware landscape is in flux, with new groups emerging. Ransom payments have decreased, with a significant number of victims refusing to pay the initial demand despite an increase in the average payment.
Key takeaways from the meeting notes are as follows:
1. The Black Basta Ransomware-as-a-Service (RaaS) operation has targeted over 500 entities in North America, Europe, and Australia. It encrypts and steals data from critical infrastructure sectors and uses a double-extortion model without an initial ransom demand in the notes.
2. Black Basta was first observed in April 2022 and has remained a highly active ransomware actor. It has ties to the cybercrime group FIN7 and has seen increased activity.
3. The ransomware attack chains involve various tools for network scanning, lateral movement, privilege escalation, and data exfiltration, as well as exploiting security flaws like ZeroLogon, NoPac, and PrintNightmare.
4. Healthcare organizations are attractive targets for cybercrime due to their size, technological dependence, and access to personal health information.
5. The CACTUS ransomware campaign is exploiting security flaws in the Qlik Sense platform to obtain initial access to target environments.
6. The ransomware landscape is experiencing a decline in activity, with a shift in the activities of certain ransomware groups and the introduction of new groups.
7. Ransom payments have seen fluctuations, with a significant decrease in the proportion of victims choosing to pay and a drop in the average ransom payment in Q1 2024.
8. Despite the increase in ransom payment rate, only 24% of respondents reported that their payment matched the original request, while 44% paid less and 31% paid more.
These takeaways illustrate the current state of ransomware activities, the targeting of critical infrastructure sectors, and the evolving trends in ransom payments and responses from victims.