On Friday May 19, 2023, the German arms producer Rheinmetall acknowledged a cyber-incident at one of it’s subsidiaries in the private sector. The BlackBasta ransomware group has already claimed responsibility for the attack through its leak-site.
Rheinmetall’s main activities are in the automobile industry and weapons manufacturing, and it descibes itself as one of the world’s largest manufacturers of military vehicles and ammunition.
The company said the attack did not affect production in the arms division, but German media is reporting that the attack was not limited to one subsidiary.
A spokesman for the Central and Contact Point Cybercrime (ZAC NRW) at the Cologne public prosecutor's office confirmed corresponding knowledge of an incident in the early evening. They were unable to provide information about the severity of the attack given that the investigation was still ongoing.
Although BlackBasta is believed to be largely based in a Russian-speaking country, the attack is not likely to have been directed at the arms industry as such, despite the the ongoing conflict between Russia and Ukraine. BlackBasta’s main objective is to find financially attractive targets. And as we noted in our report on ransomware in Germany, in the last year Black Basta has had a liking for targets in Germany, and conducts attacks there far more frequenty than in the UK or France.
Only LockBit—the preeminent global ransomware threat—has more known attacks in Germany in the last year.
BlackBasta is not very different from other ransomware groups in the way it operates. Similar to others, the gang's attacks frequently begin with initial access gained through phishing attacks. A typical attack might start with an email containing a malicious document in a zip file. Upon extraction, the document installs the Qakbot banking trojan to create backdoor access, and deploy SystemBC, which sets up an encrypted connection to a command and control server. From there, CobaltStrike is installed for network reconnaissance and to distribute additional tools.
As is the overarching trend for ransomware groups these days, Black Basta's primary goal is to steal data so that it can hold the threat of leaked it over its victims. The data is generally stolen using the command line program Rclone, which filters and copies specific files to a cloud service. After the data is copied, the ransomware encrypts files and gives them the ".basta" extension, erases volume shadow copies, and presents a ransom note named readme.txt on affected devices. Attackers using Black Basta may be active on a victim's network for two to three days before running their ransomware.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
- Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.