Conti Affiliates Black Basta, BlackByte Continue to Attack Critical Infrastructure

Written by

Between the end of February and mid-July 2022, 81 victim organizations were listed on the BlackByte and Black Basta data leak sites.

Of those, 41% were based in Europe, and many are part of critical infrastructure sectors, including energy, government, transportation, pharmaceuticals, facilities, food and education.

The remaining 59% were primarily located in the US and included several victims, including a manufacturer of agricultural machinery, a small regional grocery chain and several construction firms.

The new data comes from the threat response unit (TRU) at eSentire, which shared the findings with Infosecurity ahead of publication.

“What stands out is that the US companies that were attacked by these two ransomware gangs during this time frame, for the most part, are not part of critical infrastructure sectors,” the report reads.

“And yet, the European-based victim organizations are definitely in critical infrastructure segments including transportation, energy, government facilities, pharmaceuticals, food and education.”

According to Keegan Keplinger, research and reporting lead at eSentire, organizations in Europe and other parts of the globe have attracted the interest of the Conti ransomware group, which only appeared to shut down in May 2022.

“In typical ransomware branding fashion, Conti did not shut down; rather, they moved their operation into other ransomware brands, including Black Basta and BlackByte,” Keplinger told Infosecurity.

“As pioneers of the ransomware intrusion model, the Conti ransomware group is known for their Russian-state affiliations, corporate organizational structure, and a tendency to target critical infrastructure in western, NATO-aligned countries, especially the US.”

However, the security expert added that in the summer of 2021, US President Joe Biden began applying pressure on Russian President Vladimir Putin, threatening sanctions and retaliation.

“To avoid lost ransomware payments, via sanctions and targeting by international law enforcement, Russian-based ransomware groups, especially Conti affiliates Black Basta and BlackByte, began rotating away from US targets towards other NATO-affiliated countries in Europe,” Keplinger added.

According to the eSentire report, these included the Black Basta attacks on the wind turbine services company Deutsche Windtechnik in April and the Switzerland-based national food company The Groupe Laiteries Réunies in May. Also in May was an attack against Jacob Becker, a sizeable German waste disposal company, and in June, there were attacks against Danish railroad company Lokaltog A/S and Italy-based chemical manufacturer RadiciGroup.

As for the BlackByte group, eSentire mentions attacks against Switzerland-based international transportation and logistics company M+R Spedag Group in April. It also describes hacking attempts against a major Italian wholesale food distributor, a pharmaceutical distributor out of Greece and a healthcare products manufacturer out of Columbia, among others.

The latest eSentire report is now publicly available at this link and includes a list of recommendations to protect organizations from both Conti-affiliated hacking groups.

Its publication comes days after security researchers at SentinelLabs linked the Black Basta gang with hacking operations conducted by the FIN7 threat actors.

What’s hot on Infosecurity Magazine?