Researchers at Palo Alto Networks' Unit 42 reported that the Black Basta ransomware-as-a-service group has recently compromised more than 75 organizations. ("Arbeitsreise USA 2016" by Vodafone Enterprise Plenum e.V. is licensed under CC BY-NC 2.0.)

Researchers on Thursday reported that the ransomware-as-a-service (RaaS) group known as Black Basta has compromised more than 75 organizations over the past several months.

In a blog post, Unit 42 researchers said the RaaS group uses the double extortion technique, meaning that in addition to encrypting files on targeted systems and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threatened to post sensitive information if a company chooses not to pay the ransom.

The researchers said the ransomware was written in C++ and impacts both Windows and Linux systems. It encrypts user data using a combination of ChaCha20 and RSA-4096. To speed up the encryption, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted. The researchers explained that the faster the ransomware encrypts, the more it can potentially compromise systems before defenses are triggered — a leading factor cybercriminals look for when doing business with a RaaS group.

Rapid adoption of the cloud has forced financially motivated threat actors to change their tactics, said Davis McCarthy, principal security researcher at Valtix. McCarthy said because sensitive data gets stored in the cloud, RaaS operators exfiltrate all on-premise data or attempt to gain access to cloud accounts to improve their chances of a payday. “Password reuse and lack of visibility into cloud infrastructure makes these double extortion campaigns easy for groups like Black Basta,” McCarthy said.

Bud Broomhead, chief executive officer at Viakoo, said here’s another example of threat actors forming a business out of their malicious activities. Broomhead said in the case of Black Basta, we could view it as form of hybrid cloud implementation — the ransomware itself when installed forms a private cloud under the control of the threat actors at the victim’s site, which then gets connected to a public cloud for the “business” side of the ransomware process (public shaming, the cybercrime marketplace). 

“In other words it’s SaaS on the ransomware ‘business’ end and private cloud on the victim end,” Broomhead said. “In cases like this, the name ransomware is not sufficient to cover the scope — given the extensive privilege escalation, account creation, and data exfiltration it's well beyond ‘pay me for getting your data unlocked;’ the degree to which the business gets compromised is much more significant than just ransomware.”