Security researchers at Sentinel Labs have uncovered evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as “Carbanak.” When analyzing tools used by the ransomware gang in attacks, the researchers found signs that a developer for FIN7 has also authored the EDR (Endpoint Detection and Response) evasion tools used exclusively by Black Basta since June 2022. Further evidence linking the two includes IP addresses and specific TTPs (tactics, techniques, and procedures) used by FIN7 in early 2022 and seen months later in actual Black Basta attacks. FIN7 is a Russian-speaking, financially motivated hacking group that has been active since at least 2015, deploying POS malware and launching targeted spear-phishing attacks against hundreds of firms.
In 2020, the group started exploring the ransomware space, and by October 2021, it was revealed that it had set up its own network intrusion operation. Starting from June 2022 and onwards, Black Basta was observed deploying a custom EDR evasion tool used exclusively by its members. By digging deeper into this tool, Sentinel Labs found an executable, “WindefCheck.exe,” that displays a fake Windows Security GUI and tray icon that gives users the illusion that Windows Defender is working normally. In the background, however, the malware disables Windows Defender, EDR, and antivirus tools, ensuring that nothing will jeopardize the data exfiltration and encryption process. The analysts retrieved more samples linked to that tool and found one packed with an unknown packer, which was identified as ‘SocksBot,’ a backdoor that FIN 7 has been developing since at least 2018. Furthermore, this backdoor connects to a C2 IP address belonging to “pq.hosting,” a bulletproof hosting provider FIN7 trusts and uses regularly. Additional evidence of a connection between FIN7 and Black Basta concerns FIN7’s early 2022 experimentation with Cobalt Strike and Meterpreter C2 frameworks in simulated malware-dropping attacks. While these technical similarities point to Fin7 members being part of the Black Basta operation, it is still unclear whether they are just devs for the group, operators, or affiliates using their own tools during attacks.
To protect against ransomware attacks, organizations should:
• Regularly back up data, air gap, and password protect backup copies offline.
• Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
• Install updates/patch operating systems, software, and firmware as soon as practical after they are released. Implement monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect threats and respond quickly.
• Use multifactor authentication where possible.
• Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes.
• Avoid reusing passwords for multiple accounts.
• Focus on cyber security awareness and training.
• Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.