A brand new ransomware gang known as Black Basta has swiftly catapulted in to action in the month of April, threatening at least 12 companies in just few weeks. The 1st known attack from the gang took place in the 2nd week of April, as the operation rapidly began attacking and breaching companies around the world. Ransom demands vary between victims, it was reported that one of the victims were demanded over $2 million from the Black Basta gang to decrypt files and shut down the leaking of data. Not many information has been found about this gang, as they have not begun publicly marketing their operation or recruiting affiliates on various hacking forums.

However, suspicions have occurred stating that, due to their ability to rapidly amass new victims and negotiation methods it is likely not a new operation rather a rebrand of a past ransomware gang that took along their affiliates. Just like any other ransomware gang, they too target enterprises to steal corporate data and documents before encrypting an organization’s devices. The data extortion part of the attack is held on a Tor site, known as ‘Black Basta Blog’ or ‘Basta News’ which also contains lists of victims that have suffered an attack, and have not paid a ransom. The gang starts leaking data step by step to pressure victims into paying the ransom.

Their most recent listed victim is Deutsche Windtechnik, who suffered a cyberattack on April 11th but had not disclosed it was a ransomware attack. on the 26th or April, the data leak site also began leaking the data for the American Dental Association, which suffered an attack on April 22nd, but that page has since been removed. The removal of their page indicates that the company is negotiating with the threat actors. Furthermore, the Tor site for negotiating is called ‘Chat Black Basta’ and only includes a login screen and a web chat that can be used to communicate with the gang. The screen is used to display a welcome message that contains a ransom demand, a threat that data will be leaked if the payment is not made within 7 days and the promise of a security report after a ransom is paid.