- 5 easy ways to transfer photos from your Android device to your Windows PC
- How to get Google's new Pixel 9a for free
- Just installed iOS 18.4? Changing these 3 features made my iPhone much better to use
- 7 strategic insights business and IT leaders need for AI transformation in 2025
- The most underrated robot vacuum I've ever tested is now 60% off
Black Basta Ransomware Attacks Linked to FIN7 Threat Actor
The individuals behind the Black Basta ransomware have been linked to hacking operations conducted by the FIN7 threat actors.
According to a new advisory by SentinelLabs, Black Basta actors have used a custom defense impairment tool (found exclusively in incidents by this specific threat actor) in several instances.
“Our investigation led us to a further custom tool […] an executable packed with UPX [Ultimate Packer for Executables],” SentinelLabs wrote.
“The unpacked sample is a binary compiled with Visual Basic. The main functionality is to show a fake Windows Security GUI and tray icon with ‘healthy’ system status, even if Windows Defender and other system functionalities are disabled.”
The security researchers added that analysis of the tool led the team to additional samples, one of which included an unknown packer that, once unpacked, was identified as BIRDDOG (aka SocksBot), a backdoor used in multiple operations by FIN7 threat actors.
“We assess it is likely the threat actor developing the impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations, thus establishing for the first time a possible connection between the two groups,” SentinelLabs explained.
The cybersecurity company has also established other ties between the two hacking groups.
“Initially, FIN7 used POS (Point of Sale) malware to conduct financial frauds. However, since 2020 they switched to ransomware operations, affiliating to REvil, Conti and also conducting their own operations.”
According to SentinelLabs, the threat actor or an affiliate began writing tools from scratch to disassociate their new operations from the old.
“FIN7 (or Carbanak) is often credited with innovating in the criminal space, taking attacks against banks and PoS systems to new heights beyond the schemes of their peers,” the advisory reads.
“As we clarify the hand behind the elusive Black Basta ransomware operation, we aren’t surprised to see a familiar face behind this ambitious closed-door operation. While there are many new faces and diverse threats in the ransomware and double extortion space, we expect to see the existing professional criminal outfits putting their own spin on maximizing illicit profits in new ways.”
The SentinelLabs advisory comes weeks after a report from Ivanti suggested that ransomware, including Black Basta, has grown by 466% since 2019 and is being used increasingly as a precursor to physical war.
