Black Basta, double extortion and RaaS: How ransomware threats are evolving | Thomas Murray Skip to main content

About the author

Roland Thomas

Associate Director | Corporate Development

Roland is an Associate Director in Thomas Murray’s Corporate Development team. He joined Thomas Murray in 2018 with responsibility for group strategy, partnerships and corporate finance. More recently, Roland’s role has focused on establishing Thomas Murray’s cyber risk business, starting in 2021 with the launch of our Orbit Security platform, and the development of our expert cyber risk consultancy. Roland has a BA in English Language and Literature from Oxford University.

Black Basta

Ransomware gangs are becoming more aggressive and more innovative than ever before, and the financial services industry – where companies with strong balance sheets are determined to protect their reputations for asset safety and security – is a particular target.

Since 2020, those in financial services have been especially hard hit by cyber criminals who have evolved increasingly sophisticated and effective means for breaching the most robust defences. These include Ransomware as a Service (RaaS) and so-called ‘double extortion’ techniques.

According to the Anti-Phishing Working Group, the financial services industry experienced a 35% increase in ransomware attacks in the first quarter of 2022 alone. It was also subject to almost 25% of all phishing attacks.

The real problem for the financial sector is not the increasing frequency of these incidents, however. Rather, it’s the nature of the attacks themselves, which tend to be particularly complex in an effort to overcome the rigorous security used by most financial organisations. These groups are organised, experienced, creative, and often politically motivated (and funded).

Ransomware as a Service and double extortion

Just as many businesses outsource technology requirements to Software as a Service (SaaS) providers and managed service providers (MSPs), so threat actors are using third-party suppliers of ransomware capabilities to launch more targeted and effective assaults on their victims.

Known as Ransomware as a Service (RaaS), it mirrors the way most legitimate organisations structure their own supplier relationships. Black Basta is one of the most prolific RaaS groups.

RaaS means that criminals no longer need to have the skills required to launch a cyberattack – they can simply pay another group to create the software that will do it for them.

Black Basta is extremely good at what it does. It managed to hit at least 75 organisations on behalf of its ‘affiliates’ (as its clients are known) over the course of a few months in 2022. Although it is known for being a RaaS organisation, the gang also uses ‘double extortion.’ This means that if its victims refuse to pay a ransom, it simply exfiltrates sensitive data and releases it for sale on a cybercrime marketplace.

Black Basta is prolific and hugely effective, yet analysts can find no evidence that it recruits on the Dark Web. This has led to speculation that Black Basta may in fact be a rebrand of the Russian group Conti.

Conti pledged loyalty to the Kremlin at the start of Russia’s war in Ukraine, and US law enforcement has evidence that members of Black Basta have been urging a specific targeting of organisations in English-speaking countries allied with the US.

Managing cyber risk – what can you do?

It’s not only the financial sector that will be vulnerable to RaaS and double extortion. Healthcare providers, universities, local and national government agencies, to name just a few – all have the same vulnerabilities and treasure troves of sensitive data that make them irresistible targets.

Anticipate – Third-party due diligence is essential. Third-party risk is on the rise and threat actors will exploit vulnerabilities in secure companies’ supply chains to find ‘back doors’ into their systems. You need to map out your companies’ critical service providers and other third parties, and develop a classic risk matrix which begins by prioritising ‘high impact, high likelihood’ events.

Educate – Human fallibility is often at the heart of a successful IT breach. A lot of people tune out during IT security training: Keep your people up-to-date on the latest threats and ensure that training materials are regularly refreshed.

Your board and senior leadership team should also be thoroughly briefed on your cyber breach response plans. This will minimise the chances of rash decisions being acted on in the heat of the moment.

Communicate – Collaboration between IT security teams in different jurisdictions is crucial to ensuring everyone is on the same page. Michigan State University, for example, paid US$1m to a ransomware gang that discovered its physics department had not properly patched its VPN.

Evaluate – Continuous monitoring of your attack surfaces and threat environment is vital. Do you know exactly how many servers there are through which your defences could be breached? You may be surprised by how often the number changes.

Automate – It isn’t possible for such continuous monitoring to be a manual job. Harness the power of a third-party expert to provide you with an automated system that gives you an overview of your ever-changing attack surface.


With Orbit Security, you can:

  • Discover your attack surface using Orbit Security’s proprietary Network Footprint Discovery ML algorithm. From a single parent domain, we will discover all your interconnected infrastructure to a high degree of accuracy, regardless of who manages it.
  • Analyse the threat intelligence assessments provided for every domain and sub-domain in your infrastructure, or view your risk exposure aggregated by the six threat categories in our methodology: Breach, Configuration, Mail, DNS, HTTP, SSL/TLS.
  • Mitigate risks according to clear priorities set out in Orbit Security’s assessments, improve your security posture, monitor your third parties and report with confidence to your board.

Reporting is essential to any IT security team, and speaking senior management’s language is crucial. We help by providing off-the-shelf reports:

Management reporting

Our cyber security ratings present complex information in a way that’s easy for both stakeholders outside your team and senior management to understand, allowing you to communicate clearly and effectively what your security pain points are and what resources you need to address them.

Vendor risk reporting

You will be instantly notified if one of your third parties has its security rating downgraded. Thomas Murray will engage with them at your request to provide free and full access to their own threat intelligence assessment, improving the security of your entire ecosystem.

Orbit Security

Orbit Security

Security ratings for enhanced attack surface management and third party risk. Monitor for breaches and vulnerabilities that could be exploited by threat actors.

Learn more

Contact an expert

Robert Smith

Robert Smith

Head of SaaS Sales and Customer Success 

 
Roland Thomas

Roland Thomas

Associate Director | Cyber Risk