The Black Basta ransomware gang hit multinational company ABB

Swiss electrification and automation technology giant ABB suffered a Black Basta ransomware attack that impacted its business operations.

Swiss multinational company ABB, a leading electrification and automation technology provider, it the last victim of the notorious Black Basta ransomware group.

The company has more than 105,000 employees and has $29.4 billion in revenue for 2022. 

The attack took place on May 7, 2023, and reportedly impacted the business operations of the company.

The news of the attack was reported by BleepingComputer, which is aware that the attack impacted the company’s Windows Active Directory, with hundreds of devices that were infected.

BleepingComputer states that some of the projects were delayed and the attack impacted some of the company factories.

Once discovered the security breach, ABB closed VPN connections with its customers to prevent the threat from spreading.

Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.  

In November 2022, Sentinel Labs researchers reported having found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7.

In November 2022, experts at the Cybereason Global SOC (GSOC) team observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US.

In two weeks, the experts observed attacks against more than 10 different US-based customers

The attack chain starts with a QBot infection, The operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. The attacks began with a spam/phishing email containing malicious URL links.

The researchers noticed that once obtained access to the network, the threat actor moves extremely fast. In some cases observed by Cybereason, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.

In April 2023, the ransomware group hit the UK outsourcing giant Capita.

Capita is one of the government’s biggest suppliers, with £6.5bn of public sector contracts, reported The Guardian. The outsourcing firm signed numerous contracts with the Ministry of Defence.

In an update shared on April 3 about the incident, the company announced it has experienced a cyber incident primarily impacting access to internal Microsoft Office 365 applications. 

The attack disrupted some services provided to individual clients, but the company pointed out that the majority of its client services were not impacted.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ABB)