"Conti Affiliates Black Basta, BlackByte Continue to Attack Critical Infrastructure"
Security researchers at the threat response unit (TRU) at eSentire have found that between the end of February and mid-July 2022, 81 victim organizations were listed on the BlackByte and Black Basta data leak sites. Of those, 41% were based in Europe, and many are part of critical infrastructure sectors, including energy, government, transportation, pharmaceuticals, facilities, food, and education. The researchers noted that the remaining 59% were primarily located in the US and included several victims, including a manufacturer of agricultural machinery, a small regional grocery chain, and several construction firms. The researchers stated that what stands out is that the US companies that were attacked by these two ransomware gangs during this time frame, for the most part, are not part of critical infrastructure sectors. However, the European-based victim organizations are definitely in critical infrastructure segments, including transportation, energy, government facilities, pharmaceuticals, food, and education. The researchers stated that the Conti ransomware group appeared to shut down in May 2022, but it actually did not shut down and instead moved its operation into other ransomware brands, including Black Basta and BlackByte. The researchers stated that originally Conti ransomware group, which is known to have Russian-state affiliations tended to target critical infrastructure in western, NATO-aligned countries, especially the US. However, the researchers added that in the summer of 2021, US President Joe Biden began applying pressure on Russian President Vladimir Putin, threatening sanctions and retaliation. The researchers noted to avoid lost ransomware payments via sanctions and targeting by international law enforcement, Russian-based ransomware groups, especially Conti affiliates Black Basta and BlackByte, began rotating away from US targets towards other NATO-affiliated countries in Europe.