SAINTCON 2023 - Josh Murchie - It wasn't a rock, it was a...BlackBasta!

Expert cybersecurity speaker Josh Murchie uncovers the tactics and techniques of the BlackBasta ransomware group, discussing their evolution, targeting and evasion methods.

Key takeaways

Black Basta ransomware is a relatively new threat actor that has already hit 50 organizations in 4 months.
It uses legitimate software, such as Anydesk, Splashtop, and Katerra, to gain initial access to victim networks.
Quackbot is used as a botnet command and control tool to distribute malware and extract sensitive information.
Black Basta is heavily reliant on phishing and uses multiple email threads to extract sensitive information.
The ransomware group uses a modular approach, with each component having its own function.
They use a variety of tools, including Bloodhound, to conduct reconnaissance and extract sensitive information.
The group uses a domain generation algorithm to generate new domains and stay hidden.
Black Basta is constantly evolving and improving its tactics, techniques, and procedures.
Mandiant observed that the group’s attack campaigns are highly targeted and sophisticated.
Phishing is a critical component of their attack chain, and they use it to trick victims into installing malware or revealing sensitive information.
The group uses public reporting and incident response to identify and target new victims.
They also use threat intelligence to stay ahead of their adversaries.
Un militarized offers real-time incident response, threat intelligence, and managed defense services to help organizations defend against ransomware attacks.
The group’s use of legitimate software and tools makes it difficult to detect and remediate.
Black Basta has already been involved in several high-profile attacks, including one that hit a casino in the summer.
The group’s operators are highly organized and experienced, with a good understanding of the threat landscape.

SAINTCON 2023 - Josh Murchie - It wasn't a rock, it was a...BlackBasta!

More talks