Ransomware gangs like to operate in the shadows. They enjoy taking credit for their work like the rest of us, but cybercriminals prefer their victims to be the focus of attention. Normally, they get their wish.
But a recent leak from the Black Basta cybercrime group has briefly turned the tables. This time, it’s the hackers who’ve been careless with their data. Potential theories include a scorned ex-member, an ethical hacker, or even law enforcement. Our heart bleeds for them.
Whatever the cause, the leak provides a unique insight into the inner workings of a modern ransomware operation – from how they select victims to maximising their profits. By analysing their tactics, businesses can gain a better understanding of how to protect themselves against attacks.
How does a ransomware gang operate?
The leaked chat logs paint a picture of a highly organised, profit-driven cybercriminal enterprise. Like a well-run business, Black Basta follows a structured process to execute attacks and extract payments.
1. Target selection: Going after high-value victims
Like many ransomware gangs, Black Basta prioritises organisations that handle sensitive data and cannot afford prolonged downtime. Targets often include healthcare providers, financial institutions, and large corporations. It performs reconnaissance to assess a company’s security posture, identifying weak spots that can be exploited.
2. Initial access: Exploiting vulnerabilities
Gaining access to a victim’s network is the first critical step. Black Basta uses a mix of social engineering tactics (such as phishing emails) and technical exploits (like unpatched software vulnerabilities) to infiltrate systems. In some cases, it purchases access from other cybercriminals who specialise in breaching networks.
3. Lateral movement and data exfiltration
Having breached the target’s initial cyber defences, Black Basta moves laterally through the network to escalate privileges and search for high-value data. Before deploying ransomware, it exfiltrates sensitive files that can be used as leverage in ransom negotiations. This tactic, known as double extortion, ensures that even if a company restores from backups, the criminals can still threaten to leak their data.
4. Ransom negotiations: Psychological pressure and deadlines
During negotiations, Black Basta demands payment in cryptocurrency and sets strict deadlines, often accompanied by threats to release stolen data publicly. It adjusts demands based on a company’s revenue and financial health.
5. Monetisation and evasion
Once a ransom is paid, Black Basta launders the cryptocurrency through various channels to obscure its origin. It also continually refines its tactics to evade law enforcement, such as switching infrastructure and updating malware strains to bypass security measures.
How Redstor prevents ransomware gangs from succeeding
Understanding the inner workings of Black Basta’s operation reinforces why businesses need a multi-layered defence strategy. Redstor’s cloud-first data backup and recovery solutions are designed to stop ransomware gangs in their tracks, ensuring that businesses remain resilient against these evolving threats.
Protecting against initial access: Zero trust and security best practices
Ransomware operators rely on phishing and software vulnerabilities to gain initial access to victims’ networks. Redstor emphasises proactive security measures to prevent infiltration, including:
- Zero Trust architecture: Limit access based on user verification and device security.
- Automated security patching: Reduce the attack surface by keeping systems up to date.
- Phishing protection: Educate employees and use AI-driven threat detection to identify suspicious emails.
Preventing data exfiltration: Advanced threat detection
Redstor’s AI-driven threat detection continuously scans for anomalies, identifying potential breaches before criminals can steal sensitive data. By monitoring data movement and access patterns, businesses can detect unauthorised activities early and stop exfiltration attempts in real time.
Immutable backups: Ensuring rapid recovery without paying ransoms
Since Black Basta uses double extortion tactics, organisations need to recover quickly without relying on ransom payments. Redstor provides:
- Immutable backups: Data cannot be altered or deleted by ransomware, ensuring safe recovery.
- Air-gapped cloud storage: Isolate backups from production environments to prevent compromise.
- Instant recovery: Redstor’s InstantData™ technology allows businesses to restore operations immediately, minimising downtime and financial loss.
Business continuity: Minimise disruption from attacks
Ransomware thrives on operational chaos. Redstor’s business continuity solutions ensure that even in the face of an attack, companies can keep running:
- Automated disaster recovery: Quickly restore clean versions of systems.
- Granular restore options: Recover only affected files to avoid unnecessary downtime.
- Continuous monitoring: Identify and address threats before they escalate.
Stay ahead of the next attack
The Black Basta leak highlights the calculated, business-like nature of ransomware operations. These gangs do not attack at random. Such groups are highly organised, with clear strategies designed to maximise their profits.
Redstor’s cloud-first approach to data protection helps businesses safeguard their systems, prevent data theft, and ensure rapid recovery – all without giving in to ransom demands.
Don’t wait for an attack to find your vulnerabilities. Get in touch today to learn how Redstor can protect your business.