Full Report
New research has uncovered further links between the Black Basta and Cactus ransomware gangs, with members of both groups utilizing the same social engineering attacks and the BackConnect proxy malware for post-exploitation access to corporate networks. [...]
Analysis Summary
# Incident Report: Overlap Between Black Basta and Cactus Ransomware Operations
## Executive Summary
This analysis identifies a significant operational overlap between the Black Basta and Cactus ransomware operations, evidenced by the shared use of the BackConnect remote access tool and highly similar social engineering tactics. Attackers impersonated IT support via Microsoft Teams to trick victims into granting remote access using Windows Quick Assist, leading to suspected compromise by both ransomware strains. The findings suggest a potential rebranding of Black Basta members into the Cactus operation or a close collaboration between the affiliated threat actors.
## Incident Details
- **Discovery Date:** Specific date not stated, based on recent Trend Micro reporting regarding shared infrastructure.
- **Incident Date:** Attacks occurred over a period leading up to the analysis (Black Basta fading since Dec 2024, Cactus active since early 2023).
- **Affected Organization:** Multiple organizations targeted by both Black Basta and Cactus ransomware operators.
- **Sector:** Not specifically disclosed, implied to be general organizations susceptible to ransomware.
- **Geography:** Not specified.
## Timeline of Events
### Initial Access
- **Date/Time:** During active operation periods for both groups circa 2023/2024.
- **Vector:** Social engineering via overwhelming email bombardment followed by targeted communication on Microsoft Teams.
- **Details:** Threat actors posed as an IT help desk employee on Microsoft Teams to solicit trust.
### Lateral Movement
- **Details:** Inferred, as access gained via Quick Assist allows for subsequent network navigation, though specific lateral movement techniques are not detailed, the shared use of TotalExec (PowerShell script) in past Black Basta attacks suggests a potential path.
### Data Exfiltration/Impact
- **Impact:** Deployment of ransomware (Black Basta/Cactus) resulting in system encryption and presumed data exfiltration, leading to financial and operational disruption.
### Detection & Response
- **How it was discovered:** Trend Micro research identified shared use of BackConnect and common C2 infrastructure.
- **Response actions taken:** Trend Micro published a report detailing the observed overlaps, prompting industry awareness.
## Attack Methodology
- **Initial Access:** Social engineering via Microsoft Teams impersonation, leading victims to deploy Windows Quick Assist for remote access.
- **Persistence:** Not explicitly detailed, but the use of BackConnect implies a persistent foothold mechanism.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Inferred by the use of legitimate remote tools (Quick Assist) and the use of TotalExec (PowerShell script often seen in Black Basta attacks).
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Shared use of C2 infrastructure associated with Black Basta/Qbot operations.
- **Collection:** Not explicitly detailed.
- **Exfiltration:** Implied, standard for modern ransomware operations.
- **Impact:** Ransomware encryption (Black Basta and Cactus variants).
## Impact Assessment
- **Financial:** Potential significant costs associated with remediation, downtime, and ransom payments for targeted entities.
- **Data Breach:** Highly likely, as both are ransomware groups known for double extortion tactics.
- **Operational:** Business disruption due to encryption events.
- **Reputational:** Damage to organizations that fall victim to highly publicized ransomware attacks.
## Indicators of Compromise
- **Network indicators:** Use of **BackConnect** remote access tool; connection to C2 infrastructure previously associated with Black Basta/Qbot operations.
- **File indicators:** Use of PowerShell script **TotalExec** (historically associated with Black Basta).
- **Behavioral indicators:** Social engineering campaign involving mass emails followed by direct contact on **Microsoft Teams**, impersonating IT Support, to initiate **Windows Quick Assist** sessions.
## Response Actions
- **Containment measures:** Not explicitly detailed in response to the shared methodology, but standard response would involve isolating systems where Quick Assist was initiated and revoking credentials.
- **Eradication steps:** Identifying and removing the BackConnect implants and associated C2 communication paths.
- **Recovery actions:** Restoring encrypted systems from clean backups, potentially involving password resets across the affected environment.
## Lessons Learned
- **Key takeaways:** Threat actors are highly adaptive, with proven ransomware gangs (like Black Basta) fading only to re-emerge or merge operations (like Cactus), sharing sophisticated techniques and infrastructure (BackConnect).
- **What could have been done better:** Improved organizational awareness and training regarding social engineering attempts originating from known collaboration platforms like Microsoft Teams, especially when impersonating internal IT staff.
## Recommendations
- **Prevention measures for similar incidents:**
1. Implement strict controls and monitoring around the execution of Windows Quick Assist or similar remote desktop tools, especially when initiated via non-standard channels like Teams chat.
2. Enhance phishing and social engineering training, specifically warning users against communications on collaboration platforms demanding immediate assistance or file execution.
3. Monitor for connections to C2 infrastructure historically associated with known ransomware families like Black Basta and Qbot.
4. Review access controls and MFA policies for all accounts frequently contacted via Microsoft Teams.