What was first announced as an IT issue has now been confirmed by Capita to be a cyberattack. The company claims that the threat actors only managed to access a small percent of its server estate.
Capita Cyberattack
Back on March 31st, Capita announced that its services are affected by an outage, only to reveal that they have suffered a cyberattack three days later. The outage caused problems regarding access to its Microsoft Office 365 applications.
The company's technical partners have already restored its employees' access to Microsoft Office 365. Capita claims that the incident was significantly restricted and that only around 4% of the company's server estate was affected.
Capita has since restored virtually all client services that were affected, as well as worked with specialist advisers and forensic experts to investigate the incident. This move "provide assurance around any potential customer, supplier or colleague data exfiltration."
Investigations showed that the incident goes as far back as the unauthorized access back on March 22nd, which the company interrupted upon detection on March 31st. Despite that, the hacker still managed to steal customer, supplier, or employee data.
Speculations point to Black Basta ransomware, seeing as the hacker group posted on its portal on the dark web with Capita as its subject. The threat actors threatened to sell the stolen data if a ransom was not paid by the company.
Black Basta provided data samples to prove the authenticity of the threat, which included personal bank details, physical addresses, passport scans, and other sensitive information, as mentioned in Bleeping Computer.
The company did not confirm nor deny that the content on the dark web was legitimate. However, the post from BlackBasta has been taken down, which indicates that Capita either paid the ransom or negotiated with the hacker group.
Black Basta Ransomware Gang
While there are reports that say that Black Basta is a ransomware-as-a-service (RaaS) hacker group, the recent cyberattack on Capita suggests otherwise, and there are no advertisements of its services found anywhere.
Researchers stated that the hacker group usually uses the double-extortion method, wherein the ransom fee can sometimes reach millions. Black Basta mainly targets the manufacturing sector, which accounts for 19.8% of its victims.
Other sectors have also been targeted by the hacker group such as construction, which accounts for 17.2% of the cyberattacks it conducted. Finance comes in third at 12.1%, and professional services at 11.2%.
There are other industries that the ransomware gang has also infiltrated such as fashion and healthcare, which collectively account for 39.7%. According to SOCradar, Black Basta has also targeted the American Dental Association, Deutsche Windtechnik, and Knauf.
They have also been linked to the FIN7 ransomware group, which has been known for criminal activities for years before Black Basta started. Upon looking into the toolkits used by the latter, researchers found some that are developed by the FIN7 ransomware gang.
Based on Black Basta's methods, researchers also found similarities in its IP addresses, attack techniques, and EDR evasion techniques, reports say. This could mean that either the two groups are working closely together, or that some members work between the two.