Black Basta Ransomware Attacks Linked to FIN7 Threat Actor

Written by

The individuals behind the Black Basta ransomware have been linked to hacking operations conducted by the FIN7 threat actors.

According to a new advisory by SentinelLabs, Black Basta actors have used a custom defense impairment tool (found exclusively in incidents by this specific threat actor) in several instances.

"Our investigation led us to a further custom tool [...] an executable packed with UPX [Ultimate Packer for Executables]," SentinelLabs wrote.

"The unpacked sample is a binary compiled with Visual Basic. The main functionality is to show a fake Windows Security GUI and tray icon with 'healthy' system status, even if Windows Defender and other system functionalities are disabled."

The security researchers added that analysis of the tool led the team to additional samples, one of which included an unknown packer that, once unpacked, was identified as BIRDDOG (aka SocksBot), a backdoor used in multiple operations by FIN7 threat actors.

"We assess it is likely the threat actor developing the impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations, thus establishing for the first time a possible connection between the two groups," SentinelLabs explained.

The cybersecurity company has also established other ties between the two hacking groups.

"Initially, FIN7 used POS (Point of Sale) malware to conduct financial frauds. However, since 2020 they switched to ransomware operations, affiliating to REvil, Conti and also conducting their own operations."

According to SentinelLabs, the threat actor or an affiliate began writing tools from scratch to disassociate their new operations from the old.

"FIN7 (or Carbanak) is often credited with innovating in the criminal space, taking attacks against banks and PoS systems to new heights beyond the schemes of their peers," the advisory reads.

"As we clarify the hand behind the elusive Black Basta ransomware operation, we aren't surprised to see a familiar face behind this ambitious closed-door operation. While there are many new faces and diverse threats in the ransomware and double extortion space, we expect to see the existing professional criminal outfits putting their own spin on maximizing illicit profits in new ways."

The SentinelLabs advisory comes weeks after a report from Ivanti suggested that ransomware, including Black Basta, has grown by 466% since 2019 and is being used increasingly as a precursor to physical war.

What’s hot on Infosecurity Magazine?