The Black Basta ransomware group has targeted Southern Water, a major UK water utility, claiming to have hacked the company and stolen sensitive data. Southern Water, responsible for wastewater management and public water supply in several regions, including Hampshire and Kent, is a significant player in the UK water industry with over 6,000 employees and an annual turnover exceeding £1 billion. The ransomware group, known for its double-extortion tactics, added Southern Water to its list of victims on its Tor data leak site, threatening to leak 750 gigabytes of stolen data, including personal and corporate documents, on February 29, 2024. The attackers published screenshots as proof, displaying passports, ID cards, and personal information of some employees.
The Black Basta ransomware gang has been active since April 2022, employing a double-extortion attack model to extract ransom payments. In early January, security researchers discovered a vulnerability in the ransomware’s encryption algorithm, leading to the creation of a free decryptor. A joint research effort by Elliptic and Corvus Insurance revealed that Black Basta accumulated at least $107 million in Bitcoin ransom payments since early 2022. The group has infected over 329 victims, including well-known entities such as ABB, Capita, Dish Network, and Rheinmetall. The researchers found a clear link between Black Basta and the Conti Group, and the ransomware gang laundered funds through the Russian crypto exchange Garantex.
SRLabs, a security research and consulting team, analyzed the encryption algorithm used by Black Basta and identified a weakness in its variant around April 2023. The ransomware uses encryption based on a ChaCha keystream, and the recovery of files depends on knowing the plaintext of 64 encrypted bytes in the right position. Files below 5,000 bytes cannot be recovered, while full recovery is possible for files between 5,000 bytes and 1GB in size. For larger files, the first 5,000 bytes may be lost, but the rest can be recovered with the right knowledge of plaintext. The group’s operations and financial transactions were scrutinized, revealing connections between Black Basta and the Conti gang and shedding light on their illicit activities.
