iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Security researchers have observed a trend in tactics, techniques and procedures that may link the ransomware gang to Russian-backed threat actors.
Analysts at cyber threat intelligence firm RedSense have observed an evolution in the tactics of the BlackBasta ransomware gang that may suggest links between the criminal extortion operation and state-based Russian threat actors.
BlackBasta is one of many ransomware operations that sprung up following the dramatic dissolution of the Conti ransomware over opposition to the Russian invasion of Ukraine in 2022.
However, while many of the spin-off groups continued Conti’s use of advanced social engineering techniques, BlackBasta relied almost entirely on botnets to deliver attacks at scale rather than the more carefully targeted campaigns of other post-Conti groups.
Even when a US-led law enforcement coalition disrupted BlackBasta’s preferred botnet, QBot, in August 2023, the gang was able to quickly jump to the DarkGate botnet. Nonetheless, according to RedSense, this still put BlackBasta behind in its planned operations, which is when it began to change tactics.
In October 2023, DarkGate itself began to broaden its tactics. While it was still taking advantage of malicious PDF files to spread malware, its loader began to target Skype and Microsoft Teams.
“Targeting Microsoft Teams was precisely the tactic that BlackBasta would prioritise a year later in October 2024,” RedSense analysts said in a 21 November blog post.
“2023 TrendMicro research concluded that by shifting to trusted communication platforms, DarkGate exploited routine channels, amplifying its potential to bypass detection and embed within organisational systems. This was the same conclusion noted by ReliaQuest, who discovered BlackBasta’s newest round of MS Teams targeting in 2024.”
By the beginning of 2024, BlackBasta was starting to communicate with other post-Conti groups, employing a “third-party dissemination specialist” known to work in that sector of the cyber criminal community. Many groups at the time, such as Royal and INC Ransom, began to impersonate Cisco, Citrix, and Fortinet in order to gain initial access via social engineering.
In May, BlackBasta followed suit, creating an identity as a fictitious cyber security company and began attempting to convince its victims that they had suffered a cyber security incident.
“Under this pretence, the operator would instruct victims to install remote access software like Zoho, AnyDesk, or Atera and would then proceed to distract the victim,” RedSense said.
The gang still relied on botnets for actual malware delivery, but by October, it had begun targeting Microsoft Teams, following a wider trend in Russian-speaking threat actors, particularly with links to state-based advanced persistent threats.
The Russian APT Midnight Blizzard – also known as Cozy Bear, Nobelium, and APT29, and linked to the Russian Foreign Intelligence Service according to US and Dutch intelligence agencies – began a campaign focused on Microsoft Teams in May 2023 in much the same way BlackBasta would in 2024. This was at the same time that BlackBasta began targeting a UK defence contractor.
Methods for taking advantage of security gaps in Teams also began circulating on the Russian language RAMP hacking forum soon after. Several other threat actors then began targeting Teams. Eventually, in October 2023, the DarkGate botnet operation also jumped on the Teams bandwagon, and in 2024, so did BlackBasta.
“BlackBasta’s evolution in malware dissemination shows a peculiar shift from a purely botnet-reliant approach to a hybrid model that integrates social engineering,” RedSense said.
“By 2024, BlackBasta’s dissemination model increasingly mirrored the advanced social engineering tactics seen even across nation-state APTs.
“This evolution shows BlackBasta’s deliberate progression from opportunistic attacks to strategic, long-term planning.”
You can read RedSense’s full report here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
