Latest news with #BlackBasta
Techday NZ
12-06-2025
- Business
- Techday NZ
ReliaQuest details Black Basta's legacy & rise of Teams phishing
ReliaQuest has released an in-depth report on the state of Black Basta, a former ransomware-as-a-service (RaaS) group, following the leak of the group's internal chat logs and its subsequent dissolution in February 2025. The demise of Black Basta, a Russian-speaking criminal group previously active in naming up to 50 victims each month on its data-leak site, was triggered by a member known as ExploitWhispers. This individual leaked private chat logs on Telegram out of frustration with the group's decision to target Russian financial organisations, revealing the internal dynamics and operational methods of one of the most prolific RaaS groups to date. Ongoing impact Despite the cessation of activity under the Black Basta name, ReliaQuest's analysis shows that many of the group's phishing and intrusion tactics continue to be used. Former affiliates are operating with a consistent set of methods, relying heavily on large-scale email spam and Microsoft Teams phishing, and adapting to include techniques such as Python script execution to deliver payloads. "Despite the group's dissolution, former members continue to use its tried-and-tested tactics, with mass email spam followed by Teams phishing remaining a persistent and effective attack method. 'New' ransomware groups like '3AM' are taking pages from Black Basta's playbook, particularly its signature phishing tact," ReliaQuest notes in its assessment. The organisation reported that Teams phishing attacks have maintained a steady pace since February 2025, with a marked increase in April when these incidents accounted for more than 35% of Black Basta-style activity targeting ReliaQuest's own customers. Half of these observed attacks originated from onmicrosoft[.]com domains, exploiting the ease of account creation and rotation on Microsoft's platform. The report suggests this trend is expected to continue. The use of onmicrosoft[.]com domains remains the primary method for launching phishing campaigns via Teams, but the report highlights that efforts to compromise microsoft[.]com accounts, which give campaigns more credibility, are also growing. While such attacks are harder to carry out, their sophistication and risk could increase in the coming months. Evolving methodology "Recently, attackers have introduced Python script execution alongside these techniques, using cURL requests to fetch and deploy malicious payloads." ReliaQuest documented a May 2025 case involving a manufacturing sector client, where attackers used a Teams phishing campaign from an onmicrosoft[.]com-based account to gain remote access via Quick Assist and AnyDesk. Python scripts were then deployed to download and execute a markdown file, enabling command and control (C2) communications. The attack was detected and contained before it could escalate. Shifts among ransomware groups The closure of Black Basta's data-leak site, paired with the continuation of its trademark tactics, suggests that its former members may have joined other RaaS collectives or formed new ones. Leaked chat logs indicate a substantial payment—between USD $500,000 and USD $600,000—by Black Basta's leader to the Cactus RaaS group, suggesting a relationship between the two. There was also a notable increase in named victim organisations on Cactus's data-leak site that coincided with Black Basta's closure. Another scenario under consideration is that affiliates have transitioned to "Blacklock", a RaaS group previously known as Eldorado, which has named more than 50 organisations on its site. Eldorado's Russian-speaking origins and rebranding have led to speculation about links to Black Basta's membership. Internal organisation and adaptation ReliaQuest's analysis of the leaked chat logs provides insight into Black Basta's operational structure, which included defined roles such as intrusion specialists, campaign managers, and ransomware developers. The group also collaborated with external malware developers and used purchased access to tools like QakBot and DarkGate for campaigns, maintaining communication chains for technical support and updates. ReliaQuest highlights the group's flexibility in tactics, warning that an overemphasis on defending against a single vector—such as brute-force attacks—could leave organisations exposed to more sophisticated phishing methods. The report urges a comprehensive, multi-layered defense posture. Mitigating the threat ReliaQuest emphasises the importance of user education to counter the social engineering techniques favoured by ransomware affiliates. "To counter these threats, organisations should prioritise user education on phishing tactics. Informed and vigilant employees are often the first and most effective line of defence, stopping social engineering attacks before they succeed." Recent case studies in sectors including finance, insurance, and construction indicated that previous staff training helped potential victims avoid compromise during coordinated phishing campaigns. Security teams received real-time alerts and took prompt action, benefiting from employee awareness programmes. Additional recommendations for defence include restricting the use of personal Google accounts on company devices, implementing detection rules for unusual Python activity, monitoring for unauthorised remote-access tools, and deploying automated response playbooks for threat containment. ReliaQuest's threat research team continues to monitor shifting TTPs (tactics, techniques, and procedures) among ransomware groups, rapidly integrating new indicators of compromise into its security platform and supporting customers with intelligence-driven threat hunting and response measures. The report concludes that the tactics established by Black Basta are likely to remain prominent among ransomware operators, underscoring the need for ongoing vigilance, robust technical controls, and investment in cyber awareness among staff.
Economic Times
24-05-2025
- Economic Times
$24M in crypto, 30 Bitcoins, and $700K seized as FBI takes down Russian hacker behind 700,000 computer ransomware army in Operation Endgame
Reuters FBI and international allies seize $24M in crypto from Russian hacker Rustam Gallyamov, accused of turning 700,000 computers into a global ransomware army under Qakbot malware operation For thousands of people around the world, the nightmare began the same way: a frozen screen, a blinking message, and a demand for money. Doctors, small business owners, factory workers, and even school staff found their computers suddenly hijacked. The US Department of Justice has indicted Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow, for leading a global cybercriminal enterprise responsible for the notorious Qakbot malware. Alongside the charges, the Justice Department announced it had seized over $24 million in cryptocurrency linked to Gallyamov's cybercrime empire. These funds are now targeted to be returned to the victims who suffered from these attacks. Victims ranged from small dental offices in Los Angeles to technology firms in Nebraska, manufacturing companies in Wisconsin, and even real estate businesses in Canada. This indictment was unsealed on Thursday, May 22, 2025, and marks a crucial moment in America's ongoing battle against ransomware attacks that have plagued organizations worldwide. Matthew R. Galeotti, Head of the Justice Department's Criminal Division, emphasized the significance of this action: "Today's announcement of the Justice Department's latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community. We are determined to hold cybercriminals accountable and will use every legal tool at our disposal to identify you, charge you, forfeit your ill-gotten gains, and disrupt your criminal activity." Gallyamov is accused of developing and deploying Qakbot since 2008, a sophisticated malware that infected over 700,000 computers globally. The malware facilitated ransomware attacks by granting access to co-conspirators who deployed various ransomware strains, including Conti, REvil, Black Basta, and Dopplepaymer. Despite a multinational operation targeting him in August 2023 that disrupted the Qakbot botnet, Gallyamov allegedly continued his cybercriminal activities.'Mr. Gallyamov's bot network was crippled by the talented men and women of the FBI and our international partners in 2023, but he brazenly continued to deploy alternative methods to make his malware available to criminal cyber gangs conducting ransomware attacks against innocent victims globally,' said Assistant Director in Charge Akil Davis of the FBI's Los Angeles Field and his associates shifted tactics, employing "spam bomb" attacks to deceive employees into granting network access, leading to further ransomware deployments as recently as January a result, the FBI under its 'Operation Endgame' seized more than 30 bitcoins and $700,000 in USDT tokens from Gallyamov under a seizure warrant executed on April 25, the Department of Justice confirmed in a Justice Department also filed a civil forfeiture complaint to seize over $24 million in cryptocurrency linked to Gallyamov's illicit activities. This was done not only to prosecute cybercriminals but also to recover assets to compensate indictment is part of Operation Endgame, a coordinated international effort involving law enforcement agencies from the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada. This operation has dismantled key infrastructures of several malware strains, including Qakbot, DanaBot, Trickbot, and others, by taking down approximately 300 servers and neutralizing 650 domains worldwide.
Techday NZ
13-05-2025
- Business
- Techday NZ
Andy Frain notifies 100,000 after major ransomware breach
Andy Frain Services has notified over 100,000 individuals that their personal information was compromised in a data breach that occurred in October 2024. The security firm, which provides services to clients such as the NFL, NBA, and NASCAR, confirmed that notifications were sent to 100,964 people affected by the breach. Details of the compromised information have not been provided. In November 2024, the ransomware group Black Basta claimed responsibility for the incident, stating that it had stolen 750 GB of data from Andy Frain Services. The company has not commented on the veracity of Black Basta's claims or if the group was directly involved in the incident. Commenting on the timing of the notifications, Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, raised concerns about the delay in informing those impacted. Grimes said, "I'm not sure why it took nearly 7 months for Andy Frain Services to notify the impacted people. That's 7 months hackers could have been using the learned information to abuse potential victims. If I do business with Andy Frain Services, I would like to know how the breach happened, if they know. Was it social engineering, unpatched software or firmware, or some other cause. Because if they don't know how it happened it's much tougher to put in place the right mitigations to make sure it's less likely to happen again." Black Basta, the group that claimed responsibility, is one of several ransomware gangs active internationally. Paul Bischoff, Consumer Privacy Advocate at Comparitech, provided context about the group's operations. In a recent blog post, Bischoff wrote, "Black Basta, not to be confused with Blackcat or BlackSuit, is a ransomware gang that first surfaced in early 2022. It operates a ransomware-as-a-service business wherein third-party clients pay Black Basta to use its ransomware and infrastructure to launch attacks and collect ransoms. Black Basta often extorts victims both for a key to restore infected systems and for not selling or publicly releasing stolen data. Black Basta has claimed 166 confirmed ransomware attacks since it began, compromising more than 11.7 million records. Its average ransom demand is about USD $2.9 million." The frequency and impact of ransomware attacks remain significant, according to Bischoff. He noted, "In 2025 to date, Black Basta has claimed five victims, all of which it claimed in January. None of those attacks have been confirmed yet. In 2024, Comparitech researchers logged 793 confirmed ransomware attacks on US organizations, compromising more than 268 million records. 64 of those attacks hit service-based businesses like Andy Frain and compromised 1.6 million records." Bischoff also provided figures regarding the financial aspect of these attacks. He stated, "The average ransom across all industries is just north of USD $2.3 million, and USD $787,000 for service-based businesses. In 2025 so far, we've recorded 112 confirmed ransomware attacks in total, five of which hit service-based businesses. Ransomware gangs made another 1,365 attack claims this year that haven't been acknowledged by the targeted organizations." Andy Frain Services has not provided details about how the breach occurred or commented on whether steps have been taken to address the vulnerabilities that led to the incident. The company continues to work with those affected, but specific guidance or advice to individuals whose information was compromised has not been released.
Business Wire
07-05-2025
- Business
- Business Wire
Coalition 2025 Cyber Claims Report Finds Ransomware Stabilized but Remains Costly for Businesses
SAN FRANCISCO--(BUSINESS WIRE)-- Coalition, the world's first Active Insurance provider designed to prevent digital risk before it strikes, today published its 2025 Cyber Claims Report, which details emerging cyber trends and their impact on Coalition policyholders throughout the full year of 2024. The report found that ransomware claims stabilized in 2024 despite remaining the most costly and disruptive type of cyberattack. The majority of 2024 claims (60%) originated from business email compromise (BEC) and funds transfer fraud (FTF) incidents, with 29% of BEC events resulting in FTF. 'Over the past year, our claims data clearly demonstrates one thing: Active Insurance works,' said Robert Jones, Head of Global Claims at Coalition. 'Combining Coalition's Active Data Graph, which provides a massive amount of data insights, with security tools and incident response, helps Coalition prevent claims from happening in the first place. And, when matters were reported to Coalition, 56% were handled without any out-of-pocket payments by the policyholder. We believe that this proactive engagement is a critical aspect of reducing global cyber risk.' Ransom demands from threat actors decreased in 2024, dropping 22% year-over-year (YoY) to an average of $1.1 million. Notably, the average demand in the latter half of 2024 fell below $1 million for the first time in more than two years. Of all ransomware claims, Akira ransomware was the most prolific variant for Coalition policyholders, accounting for 13% of claims in 2024. The Black Basta variant accounted for just 3% of all ransomware claims, but was the highest in terms of demand, with an average of $4 million. 'While overall claims have stabilized, cyber attackers, and ransomware actors in particular, still pose a tremendous threat to businesses, with the average demand still in the millions of dollars. Unfortunately, ransomware is already back with a vengeance in 2025, as March held the highest volume of public ransomware cases of all time,' continued Jones. 'Coalition continues to be an active partner in the fight against bad actors. We alert our policyholders to vulnerabilities in their networks, risky security practices, and the best ways to mitigate threats to reduce the impacts of cyber attacks.' In 2024, Coalition's cooperative efforts with authorities and panel partners contributed to the successful clawback of $31 million for policyholders, with an average recovery of $278,000. Coalition has firsthand knowledge that policyholders that quickly report FTF events have a greater likelihood of recovery. Last month, Coalition introduced a new financial incentive in its Active Cyber Policy 1. Clients can receive lower retentions when they report FTF incidents within 72 hours of the initial fraudulent transfer, encouraging prompt action to improve the odds of recovery. Other key findings from the report include: As claims frequency decreased by 7% YoY, claims severity remained stable. Ransomware claims frequency decreased by 3% and severity decreased by 7% YoY. BEC claims severity increased by 23%. FTF claims frequency decreased by 2% and severity decreased by 46% YoY. The sharp decline in severity follows the all-time high in 2023. When deemed reasonable and necessary, 44% of policyholders that experienced a ransomware incident opted to pay the ransom. Coalition Incident Response (CIR) was able to negotiate ransom payments down 1 by an average of 60%. Coalition policyholders experienced 73% 2 fewer claims than the industry average. This report presents statistics, charts, and risk insights derived from data collected from Coalition policyholders in the United States, Canada, the United Kingdom, and Australia. Download the full 2025 Cyber Claims Report from Coalition to learn more: __________________ 1 Applies to all non-admitted surplus lines new business and renewal quotes in the United States on or after April 15, 2025. Exclusions and limitations apply. See disclaimers and policy as issued. 2 Ransomware negotiation data based on cases handled by Coalition Incident Response, Inc. a wholly-owned affiliate firm of Coalition, Inc. made available to all policyholders as an option via incident response firm panel selection. 3 Industry average based on data reported by US insurers to the National Association of Insurance Commissioners (NAIC). Comparison performed using 2023 claims frequency data from Coalition and NAIC. Claims frequency is calculated using the number of standalone cyber claims reported by the NAIC, divided by the average of standalone cyber policies in force at the current and prior year-ends. Expand About Coalition Coalition is the world's first Active Insurance provider designed to help prevent digital risk before it strikes. By combining comprehensive insurance coverage with cybersecurity tools, Coalition helps businesses manage and mitigate potential cyberattacks. Leveraging its relationships with leading global insurers and capacity providers, including Coalition Insurance Company, Coalition offers Active Insurance products to businesses in the United States, the United Kingdom, Canada, Australia, Germany, Denmark, and soon in Sweden. Policyholders can receive automated cyber alerts and access expert advice, as well as global third-party risk management tools through Coalition's cyber risk management platform, Coalition Control®. Insurance products are offered by Coalition Insurance Solutions Inc. ('CIS'), a licensed insurance producer and surplus lines broker with its principal place of business in San Francisco, CA (Cal. license #0L76155), acting on behalf of a number of unaffiliated insurance companies and available on an admitted basis through Coalition Insurance Company ('CIC') a licensed insurance underwriter (NAIC # 29530). Insurance products offered through CIS and CIC may not be available in all states. Complete license and carrier information is available here. CIS may receive compensation from an insurer or other intermediary in connection with the sale of insurance. All decisions regarding any insurance products referenced herein, including approval for coverage, premium, commission, and fees, will be made solely by the insurer underwriting the insurance under the insurer's then-current criteria. All insurance products are governed by the terms, conditions, limitations, and exclusions set forth in the applicable insurance policy. Please see a copy of your policy for the full terms, conditions, and exclusions. Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc. or its affiliates.
Techday NZ
23-04-2025
- Business
- Techday NZ
Proofpoint launches unified cybersecurity solution to cut costs
Proofpoint has announced the global launch of Proofpoint Prime Threat Protection, a unified cybersecurity solution aimed at reducing operational costs and cyber risk for organisations across an expanding digital workspace. The company stated that Proofpoint Prime Threat Protection is the first solution to merge multiple critical threat defence capabilities, including multistage attack protection across various digital channels, impersonation protection, and risk-based employee education, into a single integrated offering. According to Proofpoint, as organisations increasingly contend with a proliferation of disconnected security tools, the new solution offers a unified approach by integrating threat defence and human risk management. This approach centralises workflows across the full attack chain, offering real-time threat detection, response, and behavioural guidance for communication and collaboration tools, file sharing, email, browsers, and social media. The expanding use of digital channels in modern workspaces has exposed organisations to evolving threats, with Proofpoint citing research indicating that 90 percent of security breaches involve human factors. Attacks are increasingly multichannel and multistage, utilising methods such as social engineering, impersonation, malicious links, and compromised accounts to evade traditional security measures. One cited example involved the ransomware group Black Basta, which executed subscription bombing via email and followed up through Microsoft Teams messages, impersonating IT support to infiltrate organisations. Proofpoint highlighted that enterprises are currently deploying an average of 45 different cybersecurity tools, creating complexity and increasing the burden on security teams. Many rely on standalone security awareness platforms unconnected to actual threat activity, which, according to the company, leads to minimal behavioural change and inefficient operations. The resulting operational overhead, delays in incident response, and missed risk mitigation tasks reportedly cost organisations millions. The company noted that Proofpoint Prime offers an alternative by integrating threat analysis and human behaviour insights within a single workflow. Proofpoint stated that clients who consolidated their security with a unified, human-centric approach saved an average of USD $2.7 million in reduced risk exposure and avoided USD $390,000 in operational costs. "The most damaging attacks continue to target people, and security teams are overwhelmed by siloed software, scattered threat signals, and rising costs," said Darren Lee, Executive Vice President and General Manager, Threat Protection Group at Proofpoint. "Today's collaboration landscape demands an adaptive approach. With Proofpoint Prime, organizations no longer need to stitch together dozens of disconnected detection and response tools and employee education. It integrates protection across multiple channels and attack stages, providing organizations a level of protection and peace of mind that is unmatched in the industry." Proofpoint Prime Threat Protection consolidates four primary features: multichannel defence using Nexus AI, multistage attack detection and response, human risk-based guidance, and comprehensive impersonation protection. Nexus AI, according to the company, applies consistent threat detection across all channels to address gaps in digital security coverage. The solution aims to give security operations teams enhanced visibility and faster response times by integrating detection and remediation of account takeovers, lateral movement, and supply chain attacks into a single workflow. Real-time, behaviour-based guidance is provided to employees, while adaptive insights are made available to security teams for dynamic policy enforcement and coaching of at-risk personnel. Impersonation protection combines email authentication, brand safeguarding, and takedown services to defend against both domain spoofing and lookalike threats. Proofpoint Prime is described as being designed to address current cyber threats while preparing organisations for future automation driven by artificial intelligence. The solution's architecture is described as "ready to support agentic AI
