黑巴斯塔勒索软件肆虐北美、欧洲和澳大利亚

The Black Basta ransomware-as-a-service (RaaS) operation has targeted more than 500 private industry and critical infrastructure entities in North America, Europe, and Australia since its emergence in April 2022.

自2022年4月出现以来，黑色巴斯塔勒索软件即服务（RaaS）行动已针对北美、欧洲和澳大利亚的500多个私营行业和关键基础设施实体进行了攻击。

In a joint advisory published by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the agencies said the threat actors encrypted and stole data from at least 12 out of 16 critical infrastructure sectors.

在由网络安全和基础设施安全局（CISA）、联邦调查局（FBI）、卫生和人类服务部（HHS）以及多州信息共享和分析中心（MS-ISAC）发布的联合公告中，这些机构表示，威胁行动者至少在16个关键基础设施部门中的12个部门中加密并窃取了数据。

"Black Basta affiliates use common initial access techniques — such as phishing and exploiting known vulnerabilities — and then employ a double-extortion model, both encrypting systems and exfiltrating data," the bulletin read.

"黑色巴斯塔附属机构使用常见的初始访问技术 —— 如钓鱼和利用已知漏洞 —— 然后采用双重勒索模式，既加密系统又窃取数据，"公告中写道。

Unlike other ransomware groups, the ransom notes dropped at the end of the attack do not contain an initial ransom demand or payment instructions. Rather, the notes provide victims with a unique code and instruct them to contact the gang via a .onion URL.

与其他勒索软件组不同，攻击结束时放置的勒索说明不包含初始勒索要求或付款说明。相反，说明提供受害者一个独特代码，并指示他们通过 .onion URL 联系该团伙。

Black Basta was first observed in the wild in April 2022 using QakBot as an initial vector, and has remained a highly active ransomware actor since then.

自2022年4月以来，黑色巴斯塔首次在野外观察到，使用 QakBot 作为初始载体，自那时以来一直是一个高度活跃的勒索软件行动者。

Statistics collected by Malwarebytes show that the group has been linked to 28 of the 373 confirmed ransomware attacks that took place in April 2024. According to Kaspersky, it was the 12th most active family in 2023. Black Basta has also witnessed an increase in activity in Q1 2024, spiking 41% quarter-over-quarter.

Malwarebytes 收集的统计数据显示，该组织与2024年4月发生的373起确认的勒索软件攻击中的28起攻击有关。根据卡巴斯基的说法，它是2023年第12位最活跃的家族。黑色巴斯塔在2024年第一季度的活动也有所增加，与上一季度相比增长了41%。

There is evidence to suggest that the Black Basta operators have ties to another cybercrime group tracked as FIN7, which has shifted to conducting ransomware attacks since 2020.

有证据表明，黑色巴斯塔运营商与另一个被跟踪为 FIN7 的网络犯罪组织有关联，自2020年以来该组织已转向进行勒索软件攻击。

Attack chains involving the ransomware have relied on tools such as SoftPerfect network scanner for network scanning, BITSAdmin, Cobalt Strike beacons, ConnectWise ScreenConnect, and PsExec for lateral movement, Mimikatz for privilege escalation, and RClone for data exfiltration prior to encryption.

涉及该勒索软件的攻击链依赖于工具，如 SoftPerfect 网络扫描仪用于网络扫描，BITSAdmin、Cobalt Strike 信标、ConnectWise ScreenConnect 和 PsExec 用于横向移动，Mimikatz 用于提权，RClone 用于加密前的数据外泄。

Other methods used to obtain elevated privileges include the exploitation of security flaws like ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare (CVE-2021-34527).

用于获取提权的其他方法包括利用诸如 ZeroLogon（CVE-2020-1472）、NoPac（CVE-2021-42278 和 CVE-2021-42287）和 PrintNightmare（CVE-2021-34527）等安全漏洞。

Select instances have also entailed the deployment of a tool called Backstab to disable endpoint detection and response (EDR) software. It's worth noting that Backstab has also been employed by LockBit affiliates in the past.

部分案例还涉及部署一种名为 Backstab 的工具来禁用终端检测和响应（EDR）软件。值得注意的是，过去 LockBit 附属机构也曾使用 Backstab。

The final step entails the encryption of files using a ChaCha20 algorithm with an RSA-4096 public key, but not before deleting volume shadow copies via the vssadmin.exe program to inhibit system recovery.

最后一步涉及使用 ChaCha20 算法和 RSA-4096 公钥对文件进行加密，但在删除卷影副本之前通过 vssadmin.exe 程序来阻止系统恢复。

"Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions," the agencies said.

"由于其规模、技术依赖性、访问个人健康信息的能力以及因患者护理中断而产生的独特影响，医疗组织是网络犯罪行动者的有吸引力目标，"这些机构表示。

The development comes as a CACTUS ransomware campaign has continued to exploit security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain initial access to target environments.

正值“CACTUS 勒索软件”活动持续利用云分析和商业智能平台 Qlik Sense 中的安全漏洞来获得对目标环境的初始访问。

A new analysis by NCC Group's Fox-IT team has revealed that 3,143 servers are still at risk of CVE-2023-48365 (ak DoubleQlik), with a majority of them located in the U.S., Italy, Brazil, the Netherlands, and Germany as of April 17, 2024.

NCC Group 的 Fox-IT 团队的新分析显示，截至2024年4月17日，仍有 3,143 台服务器存在 CVE-2023-48365（ak DoubleQlik）的风险，其中大多数位于美国、意大利、巴西、荷兰和德国。

The ransomware landscape is in a state of flux, registering an 18% decline in activity in Q1 2024 compared to the previous quarter, primarily led by law enforcement operations against ALPHV (aka BlackCat) and LockBit.

勒索软件格局处于不断变化之中，2024年第一季度的活动量较上一季度下降了18%，主要是由执法部门针对 ALPHV（又名 BlackCat）和 LockBit 进行的行动引起的。

With LockBit suffering from significant reputational setbacks among affiliates, it's suspected that the group will attempt to most likely rebrand. "The DarkVault ransomware group is a possible successor group to LockBit," cybersecurity firm ReliaQuest said, citing similarities with LockBit's branding.

随着 LockBit 在附属机构中遭受了重大的声誉挫折，人们怀疑该组织可能会尝试重新品牌。网络安全公司 ReliaQuest 称：“DarkVault 勒索软件团伙可能是 LockBit 的后继团伙，”并指出与 LockBit 品牌相似之处。

Some of the other new ransomware groups that made their appearance in recent weeks comprise APT73, DoNex, DragonForce, Hunt (a Dharma/Crysis ransomware variant), KageNoHitobito, Megazord, Qiulong, Rincrypt, and Shinra.

最近几周出现的其他新的勒索软件组包括 APT73、DoNex、DragonForce、Hunt（一种 Dharma/Crysis 勒索软件变体）、KageNoHitobito、Megazord、Qiulong、Rincrypt 和 Shinra。

The "diversification" of ransomware strains and "the ability to quickly adapt and rebrand in the face of adversity speaks to the resilient dynamic nature of threat actors in the ransomware ecosystem," blockchain analytics firm Chainalysis said, highlighting a 46% decrease in ransom payments in 2023.

勒索软件品种的“多样化”和“在面对逆境时快速适应和重新品牌的能力，显示了勒索软件生态系统中威胁行动者的弹性和动态特性，”区块链分析公司 Chainalysis 表示，2023年勒索付款减少了46%。

This is corroborated by findings from Veeam-owned Coveware, which said the proportion of victims that chose to pay touched a new record low of 28% in Q1 2024. The average ransom payment for the time period stood at $381,980, a 32% drop from Q4 2023.

这得到了 Veeam 旗下 Coveware 的调查结果的支持，该公司表示，2024年第一季度选择支付赎金的受害者比例触及了新的纪录低点，为 28%。该时期的平均赎金支付额为 381,980 美元，较 2023年第四季度下降了32%。

The downturn has been further complemented by victims increasingly refusing to pay the initial amount demanded, per a global survey of 5,000 organizations carried out as part of the Sophos State of Ransomware 2024 report released last month.

这一下降趋势进一步得到了受害者越来越拒绝支付初始要求金额的支持，根据上个月发布的 Sophos 2024年勒索软件状况报告中对 5,000 家组织进行的全球调查结果。

"1,097 respondents whose organization paid the ransom shared the actual sum paid, revealing that the average (median) payment has increased 5-fold over the last year, from $400,000 to $2 million," the company said.

"1,097 名受访者中，他们的组织支付了赎金，并分享了实际支付的金额，显示支付的平均（中位数）金额在过去一年中增加了 5 倍，从 40 万美元增加到 200 万美元，"该公司表示。

"While the ransom payment rate has increased, only 24% of respondents say that their payment matched the original request. 44% paid less than the original demand, while 31% paid more."

"尽管赎金支付率有所增加，但只有 24% 的受访者表示他们的支付与原始要求相匹配。44% 支付的金额低于原始要求，而 31% 支付的金额高于原始要求。"

参考资料

[1]https://thehackernews.com/2024/05/black-basta-ransomware-strikes-500.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：黑巴斯塔勒索软件肆虐北美、欧洲和澳大利亚