BT shuts servers following ransomware attack

But Black Basta still claims it stole 500GB of data

BT Group has been subjected to a ransomware attack by the Black Basta group, which specialises in ransomware and ransomware-as-a-service (RaaS).

BT claims that the attack was quickly identified and evasive action taken, with targeted servers taken offline to prevent that attack from continuing.

A spokesperson for the company told BleepingComputer that no services or back-office functions were compromised. However, the attackers claim they able to make off with 500GB of data.

“We identified an attempt to compromise our BT Conferencing platform. This incident was restricted to specific elements of the platform, which were rapidly taken offline and isolated,” BT said in a statement.

Conferencing services were not affected, the company said, adding: “No other BT Group or customer services have been affected.”

However, Black Basta claims a trove of sensitive data, including financial information and personal documents, were among the 500GB it purloined. The group released document screenshots and folder listings to back up its claim.

“We're continuing to actively investigate all aspects of this incident, and we're working with the relevant regulatory and law enforcement bodies as part of our response,” the BT Group statement concluded.

According to BlackBerry, Black Basta was one of the main groups to have emerged out of the Conti threat group, “due to similarities in their approach to malware development, leak sites, and communications for negotiation, payment, and data recovery.”

It has also been linked to FIN7/Carbanak, a gang that targeted banks and other financial institutions in the late 2010s, “through similarities in their custom Endpoint Detection and Response (EDR) evasion modules and overlapping use of IP addresses for command and control (C2) operations.”

Black Basta was first identified in 2022 shortly after the Conti cybercrime gang shattered into a number of different groups. It immediately became one of the most active RaaS threat actors in the world, racking up more than 100 confirmed victims – including 19 prominent enterprise-scale firms – in the first few months of operation.

Black Basta targets organisations in the USA, Japan, Canada, the UK, Australia and New Zealand in highly targeted attacks. The group uses a double extortion tactic, encrypting victim’s critical data and servers as well as threatening to publish sensitive data on the group’s public leak site.

Known victims of the cybercrime gang include hospitals and other healthcare organisations, as well as Capita, ABB and Southern Water.

While members of predecessor and linked organisations arrested in the past have been Ukrainian nationals, the evidence indicates that it operates out of Russia, with ties to Russian cybercrime networks.