The notorious BlackBasta ransomware group has claimed responsibility for a significant data breach targeting the Grimaldi Alliance, an Italian global shipping and logistics powerhouse. The attackers allege they have successfully exfiltrated a staggering 1.5 terabytes of sensitive corporate and personal data.
According to BlackBasta, the compromised information includes:
- Corporate data encompassing internal financial records, accounting details, and confidential business documents.
- Payroll and HR data reveal sensitive information about the company’s workforce.
- Personal data and documents belonging to employees and clients.
- Confidential documents and nondisclosure agreements (NDAs) potentially threaten the company’s commercial relationships.
If true, the breadth and depth of this breach could have severe implications for Grimaldi Alliance’s operations, client trust, and legal standing, especially in the light of strict European Union data protection laws under the General Data Protection Regulation (GDPR).
The ransomware group has issued a deadline of December 25, 2024, for Grimaldi Alliance to comply with their demands, though the specific terms of the ransom have not been disclosed publicly. Should the company refuse to cooperate, the group is likely to release the stolen data, amplifying the fallout.
Grimaldi Alliance has not yet issued a public statement confirming or denying the breach or detailing its response strategy.
BlackBasta is relatively new in the malicious business of ransomware attacks. The group was first discovered in April 2022 and is known to target organisations across sectors and countries.
According to researchers, more than 500 organisations have been victims of the BlackBasta ransomware group.
The ransomware threat actor uses a mix of legitimate and malware tools, such as Mimikatz, BITSAdmin, Cobalt Strike, PowerShell, Netcat, WinSCP, EvilProxy, SystemBC, and Qakbot, among others.
Recently, reports emerged that the BlackBasta group refined its social engineering tactics. The group masquerades as IT support staff and uses credible display names like ‘Help Desk’ or ‘Technical Support.’ Afterwards, they trick users into downloading and executing remote management tools like AnyDesk or QuickAssist.
Interestingly, the group has also begun using QR codes to circumvent multi-factor authentication (MFA).
In the News: TA397 targets Turkish defense sector with spearphishing campaign