Following their recent reveal that the Black Basta leak exposed ransomware tactics, researchers from the KELA’s Cyber Intelligence Center have new information and analysis on the victim selection in Black Basta’s reconnaissance strategies. The researchers discovered that at least 11 percent of the ZoomInfo links shared in Black Basta communications were later associated with companies that appeared as confirmed ransomware victims, such as ZircoDATA, Beko Technologies, Duty Free Americas, Fortive Corporation, Peco Foods, and many more.
They noted that the average number of days between when a victim’s ZoomInfo profile was first discussed in Black Basta’s internal chats and when they were posted on the ransomware blog is approximately 75 days.
“Over the years of Black Basta’s activity, KELA has tracked over 600 ransomware victims of this group, with nearly 60% based in the U.S., followed by 12% in Germany, 8% in the U.K., and 7% in Canada. Industry-wise, one in four victims belonged to the manufacturing sector, while nearly one in five were in professional services,” the researchers wrote in a Friday blog post. “In leaked chats of Black Basta, KELA identified at least 368 companies that had their ZoomInfo profiles referenced, and roughly 42 companies (11%) were later confirmed as breached.”
The post added that on Feb. 5 this year, a first discussion of Australia-based company ZircoDATA appeared, with information about its Citrix environment and cloud infrastructure, as well as credentials. “It included a link to a ZoomInfo business profile of ZircoDATA, mentioning ~663 PCs, suggesting potential reconnaissance or enumeration activities.”
“Interestingly, only several days before, on January 24, 2024, access to the ZircoDATA was offered for sale by the threat actor ‘crypmans’ on the Exploit forum,” the post added.
KELA had previously identified the victim based on the match of the actor’s description and publicly available information about the company. The actor specified the access as RDP and claimed the same number of PCs, possibly meaning that this access was bought by Black Basta to start their attack. The access was offered for sale in an auction form, starting with a bid of USD1500 and was sold on the same day.
Furthermore, two hours after ZircoDATA was first discussed by Black Basta, additional ZircoDATA’s credentials were shared, apparently to different users of the same asset. “Only six hours later, another Black Basta member shared the same message with a remark ‘DONE,’ potentially meaning the gang has successfully gained initial access to the network. Over the following days, the attackers have shared multiple ZircoDATA’s credentials to various services.”
On Feb. 8, the attackers discussed that they needed to prepare a blog post to threaten the victim, signaling that the data exfiltration and ransomware deployment had been completed. On Feb. 22, ZircoDATA was published as a victim on Black Basta’s blog, probably after failed negotiations.
In their blog posts, Black Basta was seen boasting about stealing 395GB of ZircoDATA archives. In May 2024, it was revealed that data included 4,000 documents from Monash Medical Center, including records related to family violence and sexual support clinics, and 60,000 documents related to students of Melbourne Polytechnic.
