The Black Basta ransomware-as-a-service (RaaS) group has been aggressively targeting critical infrastructure entities in North America, Europe, and Australia, and attacks have been stepped up, with the group’s affiliates now known to have attacked at least 500 organizations worldwide. In the United States, the group has attacked 12 of the 16 government-designated critical infrastructure sectors, and attacks on healthcare providers have increased in recent months.

Black Basta is thought to be one of multiple splinter groups that were formed when the Conti ransomware group shut down operations in June 2022. The group breaches networks, moves laterally, and exfiltrates sensitive data before encrypting files. A ransom note is dropped and victims are required to make contact with the group to find out how much they need to pay to a) prevent the publication of the stolen data on the group’s leak site and b) obtain the decryption keys to recover their encrypted data.

The group uses multiple methods for initial access to victims’ networks; however, the primary method used by affiliates is spear phishing. The group has also been observed exploiting known, unpatched vulnerabilities in software and operating systems. For instance, in February 2024, the group started exploiting a vulnerability in ConnectWise (CVE-2024-1709). The group has also been observed abusing valid credentials and using Qakbot malware. Qakbot malware is commonly distributed in phishing emails.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) recently issued a cybersecurity alert about Black Basta in response to the increase in attacks. The alert shares indicators of compromise and the tactics, techniques, and procedures used by the group in recent attacks. All critical infrastructure organizations have been advised to implement a range of mitigations to make it harder for Black Basta ransomware affiliates to access internal networks and move laterally. The recommended mitigations will also strengthen defenses against other ransomware groups and should be considered by all businesses and organizations.

Phishing and spear phishing are common access vectors for ransomware groups and the initial access brokers many of the groups work with, including the operators of Qakbot malware. Strengthening phishing defenses should therefore be a priority. TitanHQ offers three products that help improve phishing defenses: SpamTitan Email Security, PhishTitan, and the SafeTitan security awareness training and phishing simulation platform.

SpamTitan is a comprehensive email security and spam filtering service that blocks the full range of threats including spam, phishing, malware, viruses, and other malicious emails. Independent tests have confirmed the solution has a 99.99% spam catch rate, Bayesian autolearning and heuristics defend against advanced email threats, recipient verification using SPF, DKIM, and DMARC, antivirus protection is provided using two leading anti-virus engines, and the solution incorporates sandboxing for deep analysis of suspicious files. The sandbox is capable of detecting threats from their behavior rather than email signatures and is capable of identifying and blocking zero-day malware threats. The solution is regularly rated the best spam filter for business by independent software review sites and is one of the most popular spam filters for MSPs.

PhishTitan is a powerful anti-phishing solution for businesses that use Microsoft 365 that protects against the advanced attacks that Microsoft’s EOP and Defender miss. The solution includes auto-remediation features to help businesses rapidly respond when they are targeted by cybercriminal groups, and integrates seamlessly with Microsoft 365, augmenting Microsoft’s protections to ensure that more phishing threats are identified and blocked. PhishTitan adds banner notifications to emails from external email accounts and warnings about unsafe content, rewrites URLs to show the true destination, provides time-of-click protection against malicious URLs, provides threat data and analytics to help users assess their risk profile, and subjects all emails to AI and LLM analysis, detecting phishing threats with a high degree of accuracy and blocking threats that Microsoft misses. The solution also uses real-time analysis and threat assessments to neutralize business email compromise and spear phishing attacks before they begin.

It is important to train the workforce on how to recognize and report phishing attempts. SafeTitan is a comprehensive security awareness training platform that provides training in bite-sized chunks. The training modules are no longer than 10 minutes and are easy to fit into busy workflows. By providing regular training each month, businesses can develop a security culture and significantly improve resilience to phishing and spear phishing attacks, especially when combined with phishing simulations. The phishing simulator includes templates from real-world ransomware campaigns, and they are regularly updated based on the latest threat intelligence.

As an additional protection, multi-factor authentication should be implemented on all accounts, and phishing-resistant MFA is the gold standard. Since vulnerabilities are often exploited, it is important to ensure that software, firmware, and operating systems are kept up to date with patches applied promptly. Ransomware groups such as Black Basta are quick to exploit known vulnerabilities in their attacks. Remote access software should be secured and disabled if it isn’t used, networks should be segmented to hamper lateral movement, and backups should be regularly made of all critical data, with copies stored securely offsite on air-gapped devices. Further recommended mitigations can be found in CISA’s StopRansomware Guide.