In the realm of cybersecurity threats, the Toronto Public Library (TPL) faced a significant challenge. The library system, the largest in Canada, fell victim to a ransomware attack that caused a massive disruption in services. The attack was linked to the notorious Black Basta ransomware gang, leaving the library’s services in a state of chaos.
Toronto Public Library Battles Ransomware Attack
The Cybersecurity Incident
The ransomware attack took place overnight on October 27, causing outages that persisted for several days. The library’s major services were affected, with the main website, personal online accounts, digital collections and even public computers and printing services rendered inaccessible. However, phone services and WiFi remained functional, indicating a selective targeting of the library’s systems.
Despite the severity of the attack, the library assured users that no personal information had been compromised. The TPL immediately launched an investigation, in collaboration with law enforcement and third-party cybersecurity experts, to assess the extent of the damage and devise a solution.
The Attackers: Black Basta Ransomware Gang
The culprits behind the attack were identified as the Black Basta ransomware gang. Known for their targeted attacks on various organizations worldwide, Black Basta emerged as a major player in the ransomware game in April 2022. They have been linked with high-profile attacks in the US, Canada, Europe, Australia, New Zealand, and Japan.
The gang is believed to have originated from the now-defunct Conti ransomware crew, which was dissolved following a series of data breaches. Black Basta’s tactics involve a double-extortion strategy, wherein they encrypt the victim’s data and demand a ransom for its release. If the ransom isn’t paid, the gang threatens to leak the stolen data online, increasing the pressure on the victim to comply.
The evidence linking Black Basta to the ransomware attack on the Toronto Public Library came in the form of a ransom note.The note instructed the library to negotiate for the release of their data while warning against any attempts to tamper with the encrypted files, under the threat of permanent data loss.
A Brief Overview of Black Basta Ransomware
Black Basta, a service known as Ransomware-as-a-Service (RaaS), first emerged in 2022. Its operations are highly efficient, with a dedicated team of developers running the show. The group primarily targets medium to large companies, employing a sophisticated trojan in a successful phishing campaign. The ransomware doesn’t skip files based on their extensions, unlike other ransomware families, encrypting all files and not just critical folders that could render a system dysfunctional.
The Professionalism of Black Basta Ransomware
The professionalism of Black Basta ransomware is startling. The threat actors operate in a highly organized manner, with a structure resembling that of a corporate entity. Their operations include a TOR website with a victim login portal, a chatroom, and a board showcasing the names of companies whose data has been leaked. These factors contribute to the speculation that the group is state-sponsored.
The Attack Strategy of Black Basta Ransomware
Black Basta does not follow a scattergun approach. Instead, it carefully selects and targets companies. The attack begins with spear phishing emails sent to valid accounts. These emails contain malicious payloads, often disguised as Microsoft OneNote (.one) files. Opening these files often leads to an image claiming to be a password-protected Office 365 document, which, in reality, conceals a file that downloads further malware from a malicious URL.
Initial Access: The Qakbot Infection
The phishing emails sent by Black Basta contain the sophisticated trojan, Qakbot. Upon infection, the compromised hosts start beaconing out to hundreds of IP addresses using various ports. The malware then finds an active Command and Control (C2) server, and a second stage payload, likely the penetration testing framework “Brute Ratel,” is downloaded.
Persistence and Escalation of Privilege
Following the initial compromise, Black Basta begins lateral movement. The ransomware uses multiple methods and tools to navigate across domains. Once the local Domain Controller is compromised, the attacker gains a better understanding of the network layout and observes the presence of other domains. The threat actor also adds new administrative accounts to the environment for persistence.
Propagation of Black Basta Ransomware
Black Basta ransomware propagates throughout the organization using Server Message Block (SMB), spreading to almost every endpoint and server in two of the three domains. The malware transfers several files, including the Black Basta ransomware itself, Cobalt Strike beacon, and “.bat” files designed to disable antivirus and anti-malware software.
Exfiltration of Data
Upon identifying a file server, Black Basta establishes an FTP connection to an external site for data exfiltration. The ransomware uses RClone, a tool designed for transferring large volumes of data from one host to the cloud, to steal client data.
Encryption via Black Basta Ransomware
Black Basta encrypts files using the ChaCha20 algorithm, with the key and nonce being encrypted using a hard-coded RSA public key in the sample. The ransomware then appends a “.basta” extension to the encrypted files.
The Potential Impact on Data
While the TPL’s main servers containing sensitive data were reportedly not encrypted, it does not rule out the possibility that the attackers accessed or copied some internal data. Bitdefender, a global cybersecurity company, warned that a data leak wasn’t out of the question if the attackers were indeed extortionists, as is often the case with ransomware attacks.
In response to the ransomware attack, the TPL took swift action to mitigate potential damage. The library proactively shut down internal systems to prevent the malware from spreading. They also engaged third-party cybersecurity experts to assist with resolving the situation and restoring their systems to full functionality.
The Challenges of Ransomware Attacks
Ransomware attacks like the one on the TPL present significant challenges for organizations. First, there’s the issue of data encryption, which can disrupt operations and potentially lead to data loss. Then there’s the question of whether to pay the ransom, a decision that can have far-reaching implications.
Moreover, ransomware attacks pose a serious threat to cybersecurity, with potential implications for data privacy. If the attackers do manage to steal data during the attack, they can use it as leverage to pressure the victim into paying the ransom. This double-extortion strategy is a common tactic employed by ransomware gangs like Black Basta, and it underscores the importance of robust cybersecurity measures.
The ransomware attack on the Toronto Public Library serves as a stark reminder of the importance of cybersecurity. While it’s encouraging that the TPL had measures in place to mitigate potential impacts, the attack underscores the need for organizations to be prepared for such incidents.
In the face of such threats, it’s crucial for organizations to have a comprehensive cybersecurity strategy. This may include regular security audits, data backups, employee training, and the implementation of robust security measures to protect against ransomware and other cyber threats.
If you liked this article, we advise you to read our previous article about Boeing Cyber Incident. Follow us on Twitter and LinkedIn for more content.
Stay up to date with exposed information online. Kaduu with its cyber threat intelligence service offers an affordable insight into the darknet, social media and deep web.