DISH Hacked - Websites are BACK ONLINE!

Toggle sidebar
Since no one else has posted this;
(This site is a service that is selling protection, but very informative)

unit42.paloaltonetworks.com

Threat Assessment: Black Basta Ransomware

Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted...
unit42.paloaltonetworks.com unit42.paloaltonetworks.com

Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.

Black Basta affiliates have been very active deploying Black Basta and extorting organizations since the ransomware first emerged. Although the Black Basta affiliates have only been active for the past couple of months, based on the information posted on their leak site, they have compromised over 75 organizations at the time of this publication. Unit 42 has also worked on several Black Basta incident response cases.

The ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The faster the ransomware encrypts, the more systems can potentially be compromised before defenses are triggered. It is a key factor affiliates look for when joining a Ransomware-as-a-Service group.

Black Basta is ransomware as a service (RaaS) that leverages double extortion as part of its attacks. The attackers not only execute ransomware but also exfiltrate sensitive data and threaten to release it publicly if the ransom demands are not met. The threat actors behind the ransomware deploy a name-and-shame approach to their victim, where they use a Tor site, Basta News, to list all of the victims who have not paid the ransom.

Although the Black Basta RaaS has only been active for a couple of months, according to its leak site, it had compromised over 75 organizations at the time of this publication. At least 20 victims were posted to its leak site in the first two weeks of the ransomware’s operation, which indicates the group likely is experienced in the ransomware business and has a steady source of initial access.

Unit 42 has observed the Black Basta ransomware group using QBot as an initial point of entry and to move laterally in compromised networks. QBot, also known as Qakbot, is a Windows malware strain that started as a banking trojan and evolved into a malware dropper. It has been used by other ransomware groups, including MegaCortex, ProLock, DoppelPaymer and Egregor. While these ransomware groups used QBot for initial access, the Black Basta group was observed using it for both initial access and to spread laterally throughout the network.

word-image-84.png
 
  • Like
  • Wow
Reactions: ScubaGuy, TheLip, worstman1 and 5 others
HipKat said:
Since no one else has posted this;
(This site is a service that is selling protection, but very informative)

unit42.paloaltonetworks.com

Threat Assessment: Black Basta Ransomware

Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted...
unit42.paloaltonetworks.com unit42.paloaltonetworks.com

Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.

Black Basta affiliates have been very active deploying Black Basta and extorting organizations since the ransomware first emerged. Although the Black Basta affiliates have only been active for the past couple of months, based on the information posted on their leak site, they have compromised over 75 organizations at the time of this publication. Unit 42 has also worked on several Black Basta incident response cases.

The ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The faster the ransomware encrypts, the more systems can potentially be compromised before defenses are triggered. It is a key factor affiliates look for when joining a Ransomware-as-a-Service group.

Black Basta is ransomware as a service (RaaS) that leverages double extortion as part of its attacks. The attackers not only execute ransomware but also exfiltrate sensitive data and threaten to release it publicly if the ransom demands are not met. The threat actors behind the ransomware deploy a name-and-shame approach to their victim, where they use a Tor site, Basta News, to list all of the victims who have not paid the ransom.

Although the Black Basta RaaS has only been active for a couple of months, according to its leak site, it had compromised over 75 organizations at the time of this publication. At least 20 victims were posted to its leak site in the first two weeks of the ransomware’s operation, which indicates the group likely is experienced in the ransomware business and has a steady source of initial access.

Unit 42 has observed the Black Basta ransomware group using QBot as an initial point of entry and to move laterally in compromised networks. QBot, also known as Qakbot, is a Windows malware strain that started as a banking trojan and evolved into a malware dropper. It has been used by other ransomware groups, including MegaCortex, ProLock, DoppelPaymer and Egregor. While these ransomware groups used QBot for initial access, the Black Basta group was observed using it for both initial access and to spread laterally throughout the network.

word-image-84.png
Click to expand...
Any indications this could have been a Black Basta attack?
 
  • Like
Reactions: charlesrshell
HipKat said:
Since no one else has posted this;
(This site is a service that is selling protection, but very informative)

unit42.paloaltonetworks.com

Threat Assessment: Black Basta Ransomware

Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted...
unit42.paloaltonetworks.com unit42.paloaltonetworks.com

Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.

Black Basta affiliates have been very active deploying Black Basta and extorting organizations since the ransomware first emerged. Although the Black Basta affiliates have only been active for the past couple of months, based on the information posted on their leak site, they have compromised over 75 organizations at the time of this publication. Unit 42 has also worked on several Black Basta incident response cases.

The ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The faster the ransomware encrypts, the more systems can potentially be compromised before defenses are triggered. It is a key factor affiliates look for when joining a Ransomware-as-a-Service group.

Black Basta is ransomware as a service (RaaS) that leverages double extortion as part of its attacks. The attackers not only execute ransomware but also exfiltrate sensitive data and threaten to release it publicly if the ransom demands are not met. The threat actors behind the ransomware deploy a name-and-shame approach to their victim, where they use a Tor site, Basta News, to list all of the victims who have not paid the ransom.

Although the Black Basta RaaS has only been active for a couple of months, according to its leak site, it had compromised over 75 organizations at the time of this publication. At least 20 victims were posted to its leak site in the first two weeks of the ransomware’s operation, which indicates the group likely is experienced in the ransomware business and has a steady source of initial access.

Unit 42 has observed the Black Basta ransomware group using QBot as an initial point of entry and to move laterally in compromised networks. QBot, also known as Qakbot, is a Windows malware strain that started as a banking trojan and evolved into a malware dropper. It has been used by other ransomware groups, including MegaCortex, ProLock, DoppelPaymer and Egregor. While these ransomware groups used QBot for initial access, the Black Basta group was observed using it for both initial access and to spread laterally throughout the network.

word-image-84.png
Click to expand...
Just one person to d/l one file and click the wrong OK buttons. The bigger issue is that ransomware seems to be adapting to companies not paying.
 
  • Like
  • Sad
Reactions: MrDRC, Josephinelcajon, TheKrell and 1 other person
Yespage said:
Just one person to d/l one file and click the wrong OK buttons. The bigger issue is that ransomware seems to be adapting to companies not paying.
Click to expand...
Yes on both.
I have a friend who worked in IT security. This guy has to add you to his network at his house. You can't just connect with the password.

He was on Steve Jobs' early teams and is very cautious - and fell for the Paypal scam, the first time he got it in his email, got phished and his bank account cleaned out - the bank covered it - but felt really embarrassed by it. I told him, it happens and it shows anyone can make a mistake.
 
  • Like
  • Sad
Reactions: TheKrell and charlesrshell
HipKat said:
Yes on both.
I have a friend who worked in IT security. This guy has to add you to his network at his house. You can't just connect with the password.
Click to expand...
Not exactly certain how that helps, as the computer that is infected would be on the network regardless. This would only stop people outside the place from getting on the network.
HipKat said:
He was on Steve Jobs' early teams and is very cautious - and fell for the Paypal scam, the first time he got it in his email, got phished and his bank account cleaned out - the bank covered it - but felt really embarrassed by it. I told him, it happens and it shows anyone can make a mistake.
Click to expand...
The good news is that Microsoft is making it a bit harder to make just one mistake. In order to make this happen, you need to:
  • take the email seriously
  • download an Excel file
  • enable the file
  • enable macros
I think PDFs can launch stuff on their own though, however, that might not provide as convenient a pathway into Windows as Excel allows through VBA. And you just need one person to do something like open an attachment that has so many red flags you'd think you were in China... but they are color blind.
 
Yespage said:
Not exactly certain how that helps, as the computer that is infected would be on the network regardless. This would only stop people outside the place from getting on the network.

The good news is that Microsoft is making it a bit harder to make just one mistake. In order to make this happen, you need to:
  • take the email seriously
  • download an Excel file
  • enable the file
  • enable macros
I think PDFs can launch stuff on their own though, however, that might not provide as convenient a pathway into Windows as Excel allows through VBA. And you just need one person to do something like open an attachment that has so many red flags you'd think you were in China... but they are color blind.
Click to expand...
I just read about a guy this morning who was d/l'g PDF's from a Library site and infected his computer with something pretty nasty. He ended up reformatting his C: Drive and losing everything he had saved, etc.

FWIW, this was off an onion site on the Dark Web, using TOR
 
  • Like
Reactions: MrDRC and charlesrshell
HipKat said:
Since no one else has posted this;
(This site is a service that is selling protection, but very informative)

unit42.paloaltonetworks.com

Threat Assessment: Black Basta Ransomware

Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted...
unit42.paloaltonetworks.com unit42.paloaltonetworks.com

Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.

Black Basta affiliates have been very active deploying Black Basta and extorting organizations since the ransomware first emerged. Although the Black Basta affiliates have only been active for the past couple of months, based on the information posted on their leak site, they have compromised over 75 organizations at the time of this publication. Unit 42 has also worked on several Black Basta incident response cases.

The ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The faster the ransomware encrypts, the more systems can potentially be compromised before defenses are triggered. It is a key factor affiliates look for when joining a Ransomware-as-a-Service group.

Black Basta is ransomware as a service (RaaS) that leverages double extortion as part of its attacks. The attackers not only execute ransomware but also exfiltrate sensitive data and threaten to release it publicly if the ransom demands are not met. The threat actors behind the ransomware deploy a name-and-shame approach to their victim, where they use a Tor site, Basta News, to list all of the victims who have not paid the ransom.

Although the Black Basta RaaS has only been active for a couple of months, according to its leak site, it had compromised over 75 organizations at the time of this publication. At least 20 victims were posted to its leak site in the first two weeks of the ransomware’s operation, which indicates the group likely is experienced in the ransomware business and has a steady source of initial access.

Unit 42 has observed the Black Basta ransomware group using QBot as an initial point of entry and to move laterally in compromised networks. QBot, also known as Qakbot, is a Windows malware strain that started as a banking trojan and evolved into a malware dropper. It has been used by other ransomware groups, including MegaCortex, ProLock, DoppelPaymer and Egregor. While these ransomware groups used QBot for initial access, the Black Basta group was observed using it for both initial access and to spread laterally throughout the network.

word-image-84.png
Click to expand...
Read a bit more about Black Basta. It seems they mostly ignore personal users and target companies/corporations, and their ransom demands are usually in the millions. As for any protection from anti virus software, Norton doesn't seem to mention Black Basta at all, but Malwarebytes claims protection from it. Another problem is that this Black Basta seems to be constantly evolving.
 
  • Like
  • Sad
Reactions: TheKrell and charlesrshell
ekilgus said:
Read a bit more about Black Basta. It seems they mostly ignore personal users and target companies/corporations, and their ransom demands are usually in the millions. As for any protection from anti virus software, Norton doesn't seem to mention Black Basta at all, but Malwarebytes claims protection from it. Another problem is that this Black Basta seems to be constantly evolving.
Click to expand...
Well, it isn't as much as the criminals are evolving to the landscape... as criminals do. When they put locks on car downs, that wasn't the end of car thefts. Computer systems are hidden out of site it is impossible to really know what is going on in a computer. This makes it a bit easier to mess around with them, unlike a car, where someone would notice they were inside the car with you.

So currently, the plan is "the cloud" and ridiculous levels of redundant backup. The cloud "saves" money by reducing equipment in an office. And the backup stuff reduces IT tasks, so they can manage other parts of the IT sphere... until people keep needing files brought back to life. Ransomware will find a way around this and adapt again. It is a perpetually moving target.
 
  • Like
  • Sad
Reactions: TheKrell and charlesrshell
ekilgus said:
Read a bit more about Black Basta. It seems they mostly ignore personal users and target companies/corporations, and their ransom demands are usually in the millions. As for any protection from anti virus software, Norton doesn't seem to mention Black Basta at all, but Malwarebytes claims protection from it. Another problem is that this Black Basta seems to be constantly evolving.
Click to expand...
I read last night that the most current intel shows members are from other, now dark Cyber attack organizations, one in particular, from Russia
 
  • Like
Reactions: charlesrshell
HipKat said:
I read last night that the most current intel shows members are from other, now dark Cyber attack organizations, one in particular, from Russia
Click to expand...
This is going to become a huge problem with the expansion of real AI. Ransomware and what it becomes down the road will be a mob industry.

Richard Clarke was warning of this 20+ years ago.
 
  • Like
Reactions: MikeD-C05, Josephinelcajon, HipKat and 1 other person

Similar threads

M
    • Like
Dish hacked again or closed?
Replies
43
Views
5K
Almighty1
Almighty1
Darrell S
Mission stations back on DISH.
Replies
12
Views
2K
Darrell S
Darrell S
P
coming back to dish-several questions
Replies
5
Views
1K
tjboston5676
tjboston5676
J
Random DVR Recordings from 2016 Came Back
Replies
13
Views
774
Tampa8
Tampa8
N
Pressing the rewind button jumps waaaaaaaayy back
Replies
6
Views
519
cpdretired
cpdretired

Users Who Are Viewing This Thread (Total: 0, Members: 0, Guests: 0)

Who Read This Thread (Total Members: 560) Show all

Share this page

Share this page
Top
Back