Strengthening Ransomware Defenses with Elisity: A Case Study on Black Basta

Ransomware attacks pose a significant threat to organizations worldwide, with the potential to disrupt operations, compromise sensitive data, and incur substantial financial losses. Back in February of 2024, UnitedHealth Group resorted to paying $22,000,000 to ransomware attackers "which did little to help the company recover from the attack or prevent the hackers from stealing and potentially leaking patient information." Recently, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that "the Black Basta gang is targeting US critical infrastructure, including the healthcare sector." As threat actors like Black Basta continue to develop and sophisticate their attack methods, the risk of a cyber breach looms ever greater.

In this blog, we'll explore how Elisity can help organizations defend against Black Basta and similar ransomware threats, highlighting key features and strategies for enhancing cybersecurity resilience.

Black Basta Ransomware:

A Growing Concern

The Black Basta ransomware attack was a significant and sophisticated cyberattack that targeted multiple organizations, particularly those in critical infrastructure and high-value sectors. This ransomware strain, first identified in early 2022, employed a double extortion tactic where attackers not only encrypted the victim's data but also exfiltrated sensitive information. The attack began with a phishing email containing malicious attachments or links, aligning with the MITRE ATT&CK framework of "Initial Access" (T1566). When executed, these attachments allowed attackers to gain a foothold in the network. Once inside, the attackers utilized "Privilege Escalation" (T1078) and "Lateral Movement" (T1078) techniques to move through the network, identifying critical systems and data. Techniques such as "Credential Dumping" (T1003) were used to gather additional access credentials, and "Data Encrypted for Impact" (T1486) was employed to encrypt critical data.

The fallout from a Black Basta attack was severe. Organizations faced operational disruptions due to the encryption of critical data and the potential public exposure of sensitive information. This dual threat increased pressure on victims to pay the ransom to avoid both immediate operational impacts and long-term reputational damage. The exfiltration of data aligned with the MITRE ATT&CK tactic "Exfiltration Over Alternative Protocol" (T1048). In several cases, affected companies experienced significant downtime, financial losses, and damage to their brand and customer trust. The incident highlighted the necessity for robust cybersecurity measures, including advanced threat detection to identify tactics like "Command and Control" (T1071), rapid incident response, and comprehensive backup and recovery strategies to mitigate the impact of such ransomware attacks.

Mapping Black Basta back to the MITRE ATT&CK Framework:

The MITRE ATT&CK Framework is a comprehensive and widely adopted model for understanding and categorizing the tactics, techniques, and procedures (TTPs) used by cyber adversaries. Developed by the MITRE Corporation, the framework provides a detailed matrix that maps out the various stages of an attack lifecycle, from initial access to exfiltration and impact. Each stage, known as a tactic, encompasses specific techniques that adversaries employ to achieve their goals. For instance, the "Initial Access" tactic includes techniques such as phishing and exploiting vulnerabilities. The framework aids cybersecurity professionals in detecting, analyzing, and responding to cyber threats by offering a common language and structure to describe attacks.

Here's a detailed mapping of how the Black Basta ransomware attack corresponds to various tactics and techniques in the MITRE ATT&CK Framework:

Initial Access (T1566.001): Black Basta often begins with spear phishing emails that contain malicious attachments or links. When victims open these attachments or click on the links, the malware is downloaded and executed, providing the attackers with an initial foothold in the network.

Execution (T1059.001): After gaining access, Black Basta operators may use PowerShell scripts to execute commands and payloads. PowerShell is a powerful scripting language that allows attackers to automate tasks, making it easier to deploy ransomware and other malicious activities.

Privilege Escalation (T1078): Black Basta attackers often steal valid user credentials to escalate their privileges. By obtaining higher-level access, they can move more freely within the network and access critical systems.

Defense Evasion (T1562.001): To evade detection, Black Basta may disable security tools, such as antivirus and endpoint detection and response (EDR) software. This can involve tampering with settings or stopping security-related processes.

Discovery (T1083): Black Basta operators perform reconnaissance within the network to identify files, directories, and shares that contain valuable data. This step is crucial for selecting the most impactful targets for encryption.

Lateral Movement (T1078): Using the stolen/compromised credentials, attackers move laterally across the network, accessing additional systems and expanding their reach. This helps them identify and compromise more critical assets.

Impact (T1486): The primary objective of Black Basta is to encrypt data on the compromised systems, rendering it inaccessible to the victims. This is followed by a ransom demand in exchange for the decryption key.

By understanding how Black Basta maps to the MITRE ATT&CK Framework, organizations can better prepare for, and defend against, such attacks by implementing appropriate detection and mitigation strategies at each stage of the attack lifecycle.

Enhancing Ransomware Defenses with Elisity

Whether defending against specific attacks, such as Black Basta, or combating entire frameworks, such as MITRE ATT&CK, it can be challenging for cybersecurity and network teams to effectively protect their organizations' critical assets. Properly deployed network segmentation can be a powerful defense strategy in these scenarios. By dividing the network into smaller, isolated segments, organizations can limit the spread of malware and contain breaches more effectively. This approach minimizes the lateral movement of attackers, making it difficult for them to discover or access critical systems and data. Network segmentation also enables more granular control and monitoring of traffic between segments, allowing for quicker detection and response to malicious activities. By implementing identity-based policies that dynamically adjust to the context of users, and devices, organizations can enhance their security posture, reduce the attack surface, and better defend against sophisticated threats mapped to the MITRE ATT&CK framework.

Leveraging advanced technology to provide robust identity-based microsegmentation, Elisity enhances network security by dynamically profiling and controlling access for users, devices, and applications.  

Elisity's IdentityGraph ensures that only authenticated and authorized users and devices can access network resources, significantly reducing the risk of initial access through phishing or exploit kits. By segmenting the network based on dynamic identity attributes rather than static constructs, Elisity decreases the attack surface and limits lateral movement, making it substantially harder for threats like Black Basta to propagate. This identity-based microsegmentation tailors access control policies to individual user and device identities, enhancing overall network security.

Elisity seamlessly leverages existing network hardware offering enhanced visibility and control to detect, analyze, and respond to threats mapped to the MITRE ATT&CK framework. This proactive approach ensures that organizations can swiftly mitigate risks and protect their critical assets from sophisticated ransomware attacks.

Here is how Elisity can help organizations defend and respond to such attacks.

Initial Access (T1566.001): Elisity can prevent initial footholds in the network via microsegmentation, ensuring systems only communicate with authorized endpoints and not the internet or other unauthorized resources. This significantly reduces the attack surface and decreases the likelihood of cyberattacks exploiting system vulnerabilities. If an initial foothold is established through methods like spear phishing or malware executables, the blast radius is significantly reduced. Elisity's approach effectively eliminates malware propagation through lateral movement, isolating the threat and containing potential damage. Additionally, integrations with EDRs and other endpoint security solutions enable Elisity to isolate and quarantine compromised assets, further enhancing the security posture and mitigating risks.

Execution (T1059.001): By leveraging its IdentityGraph, Elisity dynamically profiles and enforces precise, context-aware policies that strictly control which users and devices can access specific network segments. When a script attempts to scan network resources, Elisity’s segmentation policies limit its ability to interact with other devices and systems, confining its actions to only those segments it is explicitly authorized to access. This containment ensures that even if a malicious script is executed, it cannot propagate or gather information beyond its designated boundaries.

Privilege Escalation (T1078): Elisity’s segmentation policies are firmly rooted on device identity. This approach ensures that even if user credentials are compromised or escalated, the device itself remains bound by stringent access policies. By leveraging the IdentityGraph, these identity-based policies dictate the specific network segments and resources each device can access, independent of the user's privileges. As a result, even if an attacker gains elevated user credentials, they cannot bypass the predefined access limitations of the device.

Defense Evasion (T1562.001): To evade detection, Black Basta may disable security tools, such as antivirus and endpoint detection and response (EDR) software. Elisity fortifies the network without installing any agents or software that could be disabled by malware attacks. Instead, it utilizes the built-in capabilities of network switches to create a robust security framework that is inherently resistant to tampering. This approach ensures that the enforcement of security policies remains intact even in the face of sophisticated attacks like Black Basta. Furthermore, if EDRs or other endpoint security systems are disabled on a device, this device would fall out of compliance and be isolated to an unauthorized policy group.

Discovery (T1083): Elisity leverages its IdentityGraph to restrict lateral movement and enforce least privilege access based on device identity, significantly limiting an attacker’s ability to perform reconnaissance and network scans. By segmenting the network according to these identities, Elisity ensures that each device can only access the resources it is explicitly authorized to interact with. This stringent control prevents attackers from moving laterally across the network, thereby thwarting their efforts to identify other vulnerable hosts and their files, directories, and other potentially vulnerable resources.

Lateral Movement (T1078): Elisity prevents lateral movement through its robust identity-based microsegmentation, which tightly controls network access based on device identity. By leveraging the IdentityGraph, Elisity continuously profiles and monitors each device, applying dynamic and granular security policies that restrict communications to only those that are explicitly authorized. This results in devices and users being isolated within their defined segments, and any attempt to access unauthorized resources is blocked in real-time.

Exfiltration (T1048 - Exfiltration Over Alternative Protocol): By leveraging the IdentityGraph, Elisity continuously profiles and monitors network entities, dynamically applying policies that restrict outbound traffic to only approved destinations, ports, and protocols, blocking unauthorized attempts to transfer data outside the network. This segmentation ensures that sensitive data remains within designated network segments and can only be accessed by authorized entities with a legitimate need.

Impact (T1486): Network segmentation through Elisity’s Identity Graph can significantly limit the impact of Black Basta and other attacks outlined in the MITRE ATT&CK framework by providing a flexible and dynamic way to segment an organization's network. The Identity Graph continuously profiles and categorizes all users, devices, and applications based on their identity attributes. This allows for the creation of precise, context-aware policies that define how these entities can interact within the network. By segmenting the network into secure, isolated segments, Elisity ensures that even if an attacker breaches one part of the network, their ability to move laterally and access other critical areas is severely restricted.

Elisity’s identity-based microsegmentation, enhanced through IdentityGraph, offers a proactive defense mechanism against sophisticated ransomware attacks like Black Basta. By dynamically profiling and controlling access based on the identity of users, devices, and applications, Elisity effectively restricts lateral movement, minimizes the attack surface, and prevents unauthorized data exfiltration. This comprehensive approach ensures that even if an attacker breaches part of the network, their ability to propagate and cause further damage is significantly limited. With Elisity, organizations can enhance their security posture, protect critical assets, and maintain the integrity of their network, ultimately ensuring business continuity and resilience against future threats.