On November 3, 2022, Sentinel Labs researchers published a report linking the Black Basta Ransomware group to FIN7 (also known as Carbanak) based on shared tactics, techniques, and procedures (TTPs) between Black Basta tools and FIN7 tools.
Key findings for the report include:
- SentinelLabs researchers describe Black Basta operational TTPs in full detail, revealing previously unknown tools and techniques.
- SentinelLabs assesses it is highly likely the Black Basta ransomware operation has ties with FIN7.
- Black Basta maintains and deploys custom tools, including EDR evasion tools.
- SentinelLabs assesses it is likely the developer of these EDR evasion tools is, or was, a developer for FIN7.
- Black Basta attacks use a uniquely obfuscated version of ADFind and exploit PrintNightmare, ZeroLogon and NoPac for privilege escalation.
It is not uncommon for developers to work on a freelance basis for more than one threat group, or to reuse tools developed for one group or another. It is also not uncommon for threat actors with aligning goals and compatible infrastructure to collaborate or share infrastructure in specific circumstances. At this time, it is not clear how extensive or permanent the ties between Black Basta and FIN7 are from the available reporting.
According to Sentinel Labs researchers, evidence for linkage between the groups includes:
- Researchers found signs that a developer for FIN7 has also authored the EDR (Endpoint Detection and Response) evasion tools used exclusively by Black Basta since June 2022
- Further evidence linking the two includes IP addresses and specific TTPs used by FIN7 in early 2022 and seen months later in actual Black Basta attacks, including the SocksBot Backdoor and shared command and control (C2) infrastructure
- Both groups were also observed experimenting with Cobalt Strike and Meterpreter C2 frameworks in simulated malware-dropping attacks in 2022